Cannot access website from LAN

Allihopp · ‎10-27-2022

Hi everyone.
My organization has a ESXi server with virtual machines, and on one of them there are docker containers, inside one of those containers is a website.
Yesterday everything was working fine, but today, when we moved the server to Cisco (891f router) network, the website is not acessible from LAN, even though from WAN everything works finetw, pinging the domain name responds with local IP, if that's important.
What could cause such a thing?

balaji.bandi · ‎10-27-2022

when we moved the server to Cisco (891f router) network

This need clarity, where was the server before ? - I may suspect any ACL ?

is the only web service not working in LAN IP ?

can you give example IP of Lan and webserver IP ?

can you able to ping from LAN to web Server ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Allihopp · ‎10-27-2022

Currently, this is the only server, that is not working properly, it's IP is 192.168.0.191.
Btw, 192.168.0.200 works perfectly, either on LAN or over WAN.

ip dhcp excluded-address 192.168.0.0 192.168.0.100
ip dhcp excluded-address 192.168.0.190 192.168.0.254
!
ip dhcp pool dhcp_pool_1
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1 8.8.4.4
 lease 3
!
interface GigabitEthernet8
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip nat inside source list 100 interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.0.200 3389 x.x.x.x 19500 extendable
ip nat inside source static tcp 192.168.0.200 80 x.x.x.x 19580 extendable
ip nat inside source static tcp 192.168.0.200 19596 x.x.x.x 19596 extendable
ip nat inside source static 192.168.0.191 x.x.x.x
!
access-list 100 permit ip 192.0.0.0 0.255.255.255 any

Also, I cannot remove this part (to manually add ports, as with the 192.168.0.200 server)

ip nat inside source static 192.168.0.191 x.x.x.x

because it gives me an error:

Static entry in use, do you want to delete child entries? [no]: yes
%: Error: static entry still in use, cannot remove

Even though I cleared NAT translations.

Allihopp · ‎10-27-2022

ip dhcp excluded-address 192.168.0.0 192.168.0.100
ip dhcp excluded-address 192.168.0.190 192.168.0.254
!
ip dhcp pool dhcp_pool_1
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1
 lease 3
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip nat inside source list 100 interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.0.191 80 x.x.x.x 80 extendable
ip nat inside source static tcp 192.168.0.191 45201 x.x.x.x 45201 extendable
ip nat inside source static tcp 192.168.0.191 45202 x.x.x.x 45202 extendable
ip nat inside source static tcp 192.168.0.191 45203 x.x.x.x 45203 extendable
ip nat inside source static tcp 192.168.0.200 3389 x.x.x.x 19500 extendable
ip nat inside source static tcp 192.168.0.200 80 x.x.x.x 19580 extendable
ip nat inside source static tcp 192.168.0.200 19596 x.x.x.x 19596 extendable
!
access-list 100 permit ip 192.0.0.0 0.255.255.255 any

On the first server (192.168.0.191) there's installed Docker, with a container, that serves a website on a domain www.domain.com (example). Before moving that server to a Cisco network, the server also was on a 192.168.0.0/24 network, and the website was accessible by domain on both LAN and WAN. Now only by domain from WAN, from LAN it's impossible to access it even by internal ip:port.
On the other hand, the second server works fine from the global internet, accessing by public IP and port, and from LAN by local IP and port.

Georg Pauwen · ‎10-28-2022

Hello,

it would be useful to have a schematic drawing of your topology, showing where exactly the webserver is located. You have a static NAT entry for the webserver, when your LAN clients access the webserver, do you see any NAT entries (show ip nat) ?

Also, is this the full configuration ? I do not see any routing...make sure you have a default route:

--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet8

Allihopp · ‎10-28-2022

Adding ip route to gig8 (WAN interface) doesn't help.
What do you mean by schematic drawing?

Georg Pauwen · ‎10-29-2022

Hello,

with schematic drawing I mean a visual layout of your topology.

What NAT entries do you see when you (successfully) access the webserver externally ?

balaji.bandi · ‎10-28-2022

i do not see any route out.

either you try below :

ip route 0.0.0.0 0.0.0.0 dhcp

or

ip route 0.0.0.0 0.0.0.0 gig 8

post also

show IP route

show nat translation

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Allihopp · ‎10-28-2022

@balaji.bandi wrote:
either you try below :
ip route 0.0.0.0 0.0.0.0 dhcp
or
ip route 0.0.0.0 0.0.0.0 gig 8

Nothing helped, during the day. Will post the log from commands tomorrow.

balaji.bandi · ‎10-28-2022

On the first server (192.168.0.191) there's installed Docker, with a container, that serves a website on a domain www.domain.com (example). Before moving that server to a Cisco network, the server also was on a 192.168.0.0/24 network, and the website was accessible by domain on both LAN and WAN. Now only by domain from WAN, from LAN it's impossible to access it even by internal ip:port.

I was reading your comments again. So from outside with FQDN your website working ok, Internally from same subnet you not able to access same site using IP and port number, what is the message you getting when you type HTTP://ip (with port)

what is the Lan IP address you trying to access to web server ?

i also suspect this ACL wrong :

access-list 100 permit ip 192.0.0.0 0.255.255.255 any

no access-list 100 permit ip 192.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.0 0.255.255.255 any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎10-29-2022

Hello
you need to apply a specific pat statement for the .191 just like you show for .200

ip route inside static 192.168.0.191 <port> x.x.x.x <port>
suggest also to append deny ace entry’s in your nat access-list for the static pat addresses

no access-list 100
access-list 100 deny ip host 192.168.0.200 any
access-list 100 deny ip host 192.168.0.191 any
access-list 100 permit ip 192.168.0.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp

lastly to delte an existing pat statement suggest to temporarily disable the lan interface so the rtr isnt trying to use perform nat on the statement whilst you remove it

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Allihopp · ‎10-31-2022

@paul driver wrote:
suggest also to append deny ace entry’s in your nat access-list for the static pat addresses

Can you explain why, please?

Allihopp · ‎10-31-2022

@paul driver @Georg Pauwen @balaji.bandi
Look, I've tried to show my current network:
Everything was working as I need on our previous router Netis WF2780 (yeah, not the best solution for an organization, but that's not my fault), with the same exposed ports. Literally, just changed the router to Cisco 891F.
After some of your suggestions above, the Website on Docker container is accessible by IP : port, but I need it to be accessible by our public domain.

Here is the full configuration of Cisco router:

Building configuration...

Current configuration : 2958 bytes
!
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
!
aaa new-model
!
!
aaa authentication login default local-case
!
!
!
!
!
aaa session-id common
clock timezone EEST 2 0
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.0.0 192.168.0.100
ip dhcp excluded-address 192.168.0.190 192.168.0.254
!
ip dhcp pool dhcp_pool_1
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1 8.8.4.4
 lease 3
!
!
!
ip name-server 1.1.1.1
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FCZ2043E05T
!
!
username blackhawk privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.0.200 3389 X.X.X.X 19500 extendable
ip nat inside source static tcp 192.168.0.200 80 X.X.X.X 19580 extendable
ip nat inside source static tcp 192.168.0.200 19596 X.X.X.X 19596 extendable
ip nat inside source static tcp 192.168.0.191 80 X.X.X.X 80 extendable
ip nat inside source static tcp 192.168.0.191 45201 X.X.X.X 45201 extendable
ip nat inside source static tcp 192.168.0.191 45202 X.X.X.X 45202 extendable
ip nat inside source static tcp 192.168.0.191 45203 X.X.X.X 45203 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp
!
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 transport input all
!
scheduler allocate 20000 1000
!
end

paul driver · ‎10-31-2022

Hello

@Allihopp wrote:

After some of your suggestions above, the Website on Docker container is accessible by IP : port,
but I need it to be accessible by our public domain.

Do you mean you would like to access this website internally via its public natted ip address or externally the website isn’t reachable?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Allihopp · ‎10-31-2022

@paul driver wrote:
Hello

@Allihopp wrote:

After some of your suggestions above, the Website on Docker container is accessible by IP : port,
but I need it to be accessible by our public domain.
Do you mean you would like to access this website internally via its public natted ip address or externally the website isn’t reachable?

I need to make it accessible by public domain, even from LAN.

Currently figured out, that adding to users PCs hosts file following line makes it possible to access:

192.168.0.191	www.domain.com

But it's stupid manually adding this to each of 50 computers.