03-27-2012 01:30 PM - edited 03-04-2019 03:49 PM
Hello,
For a config on a 2821 router with IOS 15.1
I've setup an internal web server and am able to acccess it from outside our network but not from inside (on a separate internal LAN - 192.168.10.0). When on the internal LAN - DNS points to the Public IP for the web server - so we'd need to route through the Public IP to access the web server.
What is the best way to allow access to the web server XX.XX.XX.231 from 192.168.10.0 network?
Related Config Lines to Allow Access to Web Server
NAT
ip nat inside source static tcp 192.168.1.230 80 XX.XX.XX.231 80 extendable
ip nat inside source static tcp 192.168.1.230 443 XX.XX.XX.231 443 extendable
ACL
ip access-list extended WAN
permit tcp any host XX.XX.XX.231 eq 443
permit tcp any host XX.XX.XX.231 eq www
Thanks,
Dan Foxley
------------------
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
!
dot11 syslog
no ip source-route
ip options drop
!
!
ip cef
!
!
!
no ip bootp server
no ip domain lookup
ip inspect log drop-pkt
ip inspect name PDVCorp tcp
ip inspect name PDVCorp udp
ip inspect name PDVCorp ftp
ip inspect name PDVCorp icmp
ip inspect name PDVCorp dns
!
!
!
!
license udi pid CISCO2821 sn FTX0938A43N
!
redundancy
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/0.2
description PDVCorpNet$FW_INSIDE$$ETH-LAN$
encapsulation dot1Q 2
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
no ip route-cache
no cdp enable
!
interface GigabitEthernet0/0.4
description PDVCorpNet$ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 4
ip address 192.168.1.100 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
no ip route-cache
no cdp enable
!
interface GigabitEthernet0/0.6
encapsulation dot1Q 6 native
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no ip route-cache
no cdp enable
!
interface GigabitEthernet0/0.12
encapsulation dot1Q 12
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no ip route-cache
no cdp enable
!
interface GigabitEthernet0/1
description WAN$ETH-WAN$$FW_OUTSIDE$
ip address XX.XX.XX.226 255.255.255.240
ip access-group WAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect PDVCorp out
ip virtual-reassembly in
ip verify unicast reverse-path
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map 3377_To_Sungard
!
no ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip flow-top-talkers
top 20
sort-by bytes
!
ip nat pool PDVCorp-Internet XX.XX.XX.227 XX.XX.XX.227 netmask 255.255.255.240
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.10.85 25 XX.XX.XX.231 25 extendable
ip nat inside source static tcp 192.168.1.230 80 XX.XX.XX.231 80 extendable
ip nat inside source static tcp 192.168.1.230 443 XX.XX.XX.231 443 extendable
ip nat inside source static tcp 192.168.1.50 80 XX.XX.XX.232 80 extendable
ip nat inside source static tcp 192.168.1.50 443 XX.XX.XX.232 443 extendable
ip nat inside source static tcp 192.168.1.52 80 XX.XX.XX.233 80 extendable
ip nat inside source static tcp 192.168.1.52 443 XX.XX.XX.233 443 extendable
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.225
ip route 192.168.100.0 255.255.255.0 192.168.10.2 permanent
!
!
ip access-list extended WAN
remark CCP_ACL Category=1
permit tcp any host XX.XX.XX.231 eq smtp
permit tcp any host XX.XX.XX.233 eq 443
permit tcp any host XX.XX.XX.233 eq www
permit tcp any host XX.XX.XX.232 eq 443
permit tcp any host XX.XX.XX.232 eq www
permit tcp any host XX.XX.XX.231 eq 443
permit tcp any host XX.XX.XX.231 eq www
permit icmp any any administratively-prohibited
remark Auto generated by CCP for NTP (123) 192.168.10.2
permit udp host 192.168.10.2 eq ntp host XX.XX.XX.226 eq ntp
permit ahp host VV.VV.50.84 host XX.XX.XX.226
permit esp host VV.VV.50.84 host XX.XX.XX.226
permit udp host VV.VV.50.84 host XX.XX.XX.226 eq isakmp
permit udp host VV.VV.50.84 host XX.XX.XX.226 eq non500-isakmp
permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip host 192.168.4.16 192.168.10.0 0.0.0.255
permit tcp object-group BW.COM host XX.XX.XX.226 range 5060 5061
permit udp object-group BW.COM host XX.XX.XX.226 range 5060 5061
permit udp any host XX.XX.XX.226 gt 1024
remark DNS
permit udp any eq domain any eq domain log
deny ip any any log
!
logging esm config
logging 192.168.7.108
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 deny any
access-list 100 remark CCP_ACL Category=2
access-list 100 deny ip 192.168.10.0 0.0.0.255 host 192.168.4.16
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any log
access-list 101 remark CCP_ACL Category=2
access-list 101 deny ip 192.168.10.0 0.0.0.255 host 192.168.4.16
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 138 remark PDVCA-To-Sungard
access-list 138 remark CCP_ACL Category=4
access-list 138 permit ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 138 permit ip 192.168.10.0 0.0.0.255 host 192.168.4.16
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 101
03-27-2012 02:02 PM
In order for NAT to take place, the packet must flow from an 'ip nat inside' interface to an 'ip nat outside' interface.
In your case, the packet is flowing from an ip nat inside interface to another ip nat inside interface.
You can use a workaround by using a loopback interface and the process is explained on this URL
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
Regards,
Edison
03-28-2012 09:41 AM
Edison, Thanks for the reply. After seeing this Note and under the KISS principle I decided to add DNS records to direct hosts to the web server via the LAN side vs. sending them out and back-in the public IP. "The router must process switch every packet due to the loopback interface. This degrades the performance of the router." Dan Foxley
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide