Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
3
Replies

Help with internal-external routing

goplansrl
Level 1
Level 1

‎01-29-2013 11:49 AM - edited ‎03-04-2019 06:52 PM

Hi all,

My name is Gonzalo, and I have two little problems with a configuration in my office.

I have One Wan link from my ISP directly connected to a 2911 Router for internet with the IP address (190.104.197.90 my side - 89 the ISP side)

We have internally in the lan a web server with the IP add 192.168.13.10 (the lan range is 192.168.13.0/24)

This router is connected to a Switch 2960.

and we have a second WAN link for backup from another ISP connected to a Linksys (RV042) with the following IPs: LAN side: 192.168.13.2, WAN side: 216.244.210.26

so, the first problem is:

I have this web server in a machine with the internal IP address 192.168.13.10 and I create a nat and the correspondence access list as show in the configuration below. From outside, no problem the access is correct eg:(in the IE or Chrome putts:  190.104.197.90 this works.)

from inside when I put http://192.168.13.10 works too.

but When I put in the IE 190.104.197.90 I cannot test the page...doesn´t work.

is possible to do this to check if it´s works from inside making the test to the external IP?

THE CONFIG BELOW


RTLATCOM#sh run
Building configuration...

Current configuration : 7057 bytes
!
! Last configuration change at 15:31:14 arg Tue Jan 29 2013 by administrator
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RTLATCOM
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone arg -3 0
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.13.1 192.168.13.119
ip dhcp excluded-address 192.168.14.1
!
ip dhcp pool PCs
network 192.168.13.0 255.255.255.0
default-router 192.168.13.1
dns-server 200.110.216.250 190.12.96.125 200.69.32.5 200.69.32.9
!
ip dhcp pool Voice
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
!
!
ip domain name latcom.com
ip name-server 200.110.216.250
ip name-server 190.12.96.125
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1620563354
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1620563354
revocation-check none
rsakeypair TP-self-signed-1620563354
!
!
crypto pki certificate chain TP-self-signed-1620563354
certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31363230 35363333 3534301E 170D3132 30383137 32313534
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36323035
  36333335 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EFB1 FDADFD9C 5E6CD1C9 A7C859B6 A2FBCC5C 9F4DA500 D13948DD C09809EB
  18DAF27B 54076B7F EFE1CD5A 4F8B6EF0 B59A1CD9 E12541D0 FF87CF47 91AAD262
  78F7621B F8DDA7B0 3D2871D7 4E6A8ABF FAA8B222 CEB8F787 0D3337BA 23FEDEE3
  130E2379 9C3E661B AD6333F5 F4315EF9 ABAE4F60 AB5BD12F F107C223 FA5FC31A
  43D10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1421AE3F B9FE52A5 1C56F269 13E00F6A 74DB67FB 18301D06
  03551D0E 04160414 21AE3FB9 FE52A51C 56F26913 E00F6A74 DB67FB18 300D0609
  2A864886 F70D0101 05050003 818100C7 311DB483 04CD2CCF C7A021A2 FC50F755
  2F90797D 169C8F4B 67D5D624 579A6212 6BE32F46 FFE0677D 040553B5 7FF5FB7E
  104CEDFF F1C43181 31149200 959652AE 50662236 54C765F9 AD4C2E0D DA12C52D
  45301E2C 69B8EE7B C874167F F6BB4895 C4C89AF2 BF27DF44 49D998E8 070944F4
  9CA2CD7D 97653CEC ACB7CDAA 0DDCB9
   quit
license udi pid CISCO2911/K9 sn FTX1633AMUQ
!
!
vtp version 2
username !
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
no ip route-cache
duplex full
speed 1000
!
interface GigabitEthernet0/0.10
description LAN DATOS INT
encapsulation dot1Q 10
ip address 192.168.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
interface GigabitEthernet0/0.20
description VOICE VLAN INT
encapsulation dot1Q 20
ip address 192.168.14.1 255.255.255.0
no ip route-cache
!
interface GigabitEthernet0/1
description WAN TO METROTEL
ip address 190.104.197.90 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/2
description WAN2 TO SION
ip address 216.244.210.26 255.255.255.248
ip nat outside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.13.10 21 190.104.197.90 21 extendable
ip nat inside source static tcp 192.168.13.10 80 190.104.197.90 80 extendable
ip nat inside source static udp 192.168.13.10 80 190.104.197.90 80 extendable

ip nat inside source static tcp 192.168.13.10 8080 190.104.197.90 8080 extendable
ip nat inside source static tcp 192.168.13.19 12080 190.104.197.90 12080 extendable
ip nat inside source static tcp 192.168.13.20 12081 190.104.197.90 12081 extendable
ip nat inside source static tcp 192.168.13.107 14532 190.104.197.90 14532 extendable
!
ip route 0.0.0.0 0.0.0.0 190.104.197.89
ip route 0.0.0.0 0.0.0.0 192.168.13.2 60
!
access-list 1 permit 192.168.13.0 0.0.0.255
access-list 101 permit icmp any host 190.104.197.90
access-list 101 permit ip any host 190.104.197.90
access-list 101 permit tcp any host 190.104.197.90 eq www
access-list 101 permit tcp any host 190.104.197.90 eq ftp
access-list 101 permit tcp any host 190.104.197.90 eq smtp
access-list 101 permit tcp any host 190.104.197.90 eq 8080
access-list 101 permit tcp any host 190.104.197.90 eq 14532
access-list 101 permit tcp any host 190.104.197.90 eq 12080
access-list 101 permit tcp any host 190.104.197.90 eq 12081
access-list 101 deny   ip any any
!
!
!
control-plane
!
!
!

If it´s possible to do this?

Thanks

Gonzalo

Labels:
0 Helpful
3 Replies 3

Jernej Vodopivec
Level 4
Level 4

‎01-29-2013 11:59 AM

You should access to server by Fqdn and not the IP address.

Your internal dns server which is serving clients in your LAN should return private IP address and there should be public IP address configured on public dns server for internet clients.
So when your clients in LAN want to access the server they should reach it directly (layer2) instead through the router - faster and also saving router's bandwidth.

Yu've already checked that your server is reachable from internet so that shouldn't be an issue or I'm mistaken?

0 Helpful

goplansrl
Level 1
Level 1
In response to Jernej Vodopivec

‎01-29-2013 12:40 PM

thanks Jernej for your answer,

mm the domain is outside the netwokr and it´s redirected to 190.104.197.90 and I have in the router a inside nat to translate to the server where is the page allocated.

there is no posibility to rute this for the IP address? when we have configured this in the linksys RV042, works well in this way.

from outside, works well, is reachable....if I put

http://190.104.197.90/new_site2012/index.php

and from internal doesnt work

thanks

0 Helpful

Jernej Vodopivec
Level 4
Level 4
In response to goplansrl

‎01-29-2013 01:15 PM

Hi Gonzalo,

I'm not 100% sure that I understand correctly your problem so I'll sum it up:

- you have a web server with IP address 192.168.13.10 assigned

- web servers is hosting web page "Out of Home Advertising Solutions"

- when you're located in your LAN network (you PC has 192.168.13.x IP address) you can reach web page by typing http://192.168.13.10/new_site2012/index.php

- internet clients can reach web page by typing http://190.104.197.90/new_site2012/index.php


So far so good?

Now you're trying to reach web page by typing http://190.104.197.90/new_site2012/index.php even when you're located in LAN (internal) network. Am I right?

If I'm right I: I suggested you should create A records:

- advsolutions.com (fox example) on internal DNS server and assigned 192.168.13.10 IP address to it

- advsolutions.com (fox example) on external (public) DNS server and assigned 190.104.197.90 IP address to it

When you'll want to connect to your web server you'll just type http://advsolutions.com/new_site2012/index.php into your browser - in both cases - if you'll be located in inside network and if you'll be located somewhere in the internet.

If your web page is using ssl encryption this is the only way to prevernt users receive "invalid certificate" warning message.

This is the most elegant, simple and efficient solution.

Do you still prefer to reach web server from internal network through public IP address?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card