Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
0
Helpful
1
Replies

Second public IP not accessible from inside LAN

riley.porter
Level 1
Level 1

‎04-03-2013 11:28 AM

I have a client that just got a second public IP (x.x.x.252) for a new program. I've setup that second IP on their UC540 on the public-facing port and it's accessible all day long from the outside, no problem. The problem comes in where users from within the LAN can't see the new public IP at all; however, they CAN get to the original public IP x.x.x.250. I've looked at the rules every which way and can't see anything that either 1) only allows LAN traffic to get to the original public IP, or 2) a NAT rule that only allows the same thing.

[Disclaimer: I just inherited this client and their setup, so other than me adding the IP and opening ports to it, I didn't program it.]

Here is the port configuration:

!

interface FastEthernet0/0

  description $FW_OUTSIDE$

  ip address 63.234.195.252 255.255.255.248 secondary

  ip address 63.234.195.250 255.255.255.248

  ip access-group 106 in

  no ip redirects

  no ip unreachables

  no ip proxy-arp

  ip verify unicast reverse-path

  ip nat ouside

  ip inspect SDM_HIGH out

  ip virtual-reassembly

  load-interval 30

  duplex auto

  speed auto

!

And access-list 106:

!

access-list 106 permit ip any host 63.234.195.252

access-list 106 permit icmp any any

access-list 106 permit ip any host 192.168.10.11

access-list 106 permit host 192.168.10.11 any

access-list 106 permit tcp host 192.168.10.11 eq www any eq www

access-list 106 permit tcp any eq www host 192.168.10.11 eq www

access-list 106 permit ip any host 192.168.10.12

access-list 106 permit ip host 192.168.10.12 any

access-list 106 permit ip 155.70.39.0 0.0.0.255 host 63.234.195.250

access-list 106 permit ip 155.70.23.0 0.0.0.255 host 63.234.195.250

access-list 106 permit ip 155.70.59.0 0.0.0.255 host 63.234.195.250

access-list 106 permit ip 155.70.141.0 0.0.0.255 host 63.234.195.250

access-list 106 permit udp any host 63.234.195.250 eq non500-isakmp

access-list 106 permit udp any host 63.234.195.250 eq isakmp

access-list 106 permit esp any host 63.234.195.250

access-list 106 permit ahp any host 63.234.195.250

access-list 106 permit udp host 140.142.16.34 host 63.234.195.250 eq ntp

access-list 106 permit udp host 132.239.254.49 host 63.234.195.250 eq ntp

access-list 106 permit tcp any any eq echo

access-list 106 deny ip any any

!

Like I said, I can't figure out why .250 is internally-accessible, but .252 isn't. .252 is in the routing table as a directly-connected address, but I also added ip route 63.234.195.252 255.255.255.255 FastEthernet0/0 to the routing table and it still won't go. Everything is controlled by the UC540: The internal servers do not run DNS or DHCP or even a domain. There are no NAT outside rules.

Any help would be appreciated, thanks!

Labels:
0 Helpful
1 Reply 1

jonatrod
Level 7
Level 7

‎04-11-2013 09:31 AM

Good morning

Hi Riley, thanks for using our forum, my name is Johnnatan and I am part of the Small business Support community. You posted your question in the UC forum, go to "Small Business Voice and Conferencing > SBCS - UC500" so you can have more feedback on your case, more users will see it there. You can move your post using  the actions panel on the right.

“Please rate useful posts so other users can benefit from it”

Greetings, 
Johnnatan Rodriguez Miranda.
Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
0 Helpful
Customers Also Viewed These Support Documents