Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3364
Views
10
Helpful
19
Replies

Route traffic from an inside interface to access a web-server on another inside interface on a CISCO 2900

Go to solution
kar
Level 1
Level 1

‎02-26-2018 01:12 AM - edited ‎03-08-2019 02:01 PM

Hello eveyone,

 

I am a newb on the networking world. We have a cisco 2900 series router. We have configured three interfaces , two inside and one outside.(not done by me :) ) I have attached the running config file.

 

I am trying to give access to any one on the network 10.10.x.x to access a web-server on 192.168.x.x 

I did try couple of changes on the access list , but didn't work.

 

I am not sure if i am doing the right configuration or where to begin from.

 

let me know if you guys need any more information.

Labels:
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to kar

‎02-26-2018 03:19 AM - edited ‎02-26-2018 03:21 AM

Hi, 

Please try with following configuration:

 

!
access-list 112 permit ip host 192.168.1.189 10.10.0.0 0.0.1.255
access-list 112 deny ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip any any
!
access-list 111 permit ip 10.10.0.0 0.0.1.255 host 192.168.1.189
access-list 111 deny ip 10.10.0.0 0.0.1.255 any
access-list 111 permit ip any any
!
int gi0/1
no ip access-group 10 out
ip access-group 111 out
!

!
int gi0/0
no ip access-group 12 out
ip access-group 112 out

 

 

And @Seb Rupik I can see the ACL 101 is already used in NAT.  So careful.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

19 Replies 19

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎02-26-2018 01:39 AM

Hi, 

there is some confusion, What is IP of the WEB server? and Have you opened the access to complete subnet or only web server in 192.168.x.x from 10.10.x.x subnet?

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
kar
Level 1
Level 1
In response to Deepak Kumar

‎02-26-2018 02:23 AM

Hi Deepak,

 

Webserver IP is 192.168.1.189 and i want to open access to the web-server from subnet 10.10.x.x

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to kar

‎02-26-2018 03:19 AM - edited ‎02-26-2018 03:21 AM

Hi, 

Please try with following configuration:

 

!
access-list 112 permit ip host 192.168.1.189 10.10.0.0 0.0.1.255
access-list 112 deny ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip any any
!
access-list 111 permit ip 10.10.0.0 0.0.1.255 host 192.168.1.189
access-list 111 deny ip 10.10.0.0 0.0.1.255 any
access-list 111 permit ip any any
!
int gi0/1
no ip access-group 10 out
ip access-group 111 out
!

!
int gi0/0
no ip access-group 12 out
ip access-group 112 out

 

 

And @Seb Rupik I can see the ACL 101 is already used in NAT.  So careful.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
kar
Level 1
Level 1
In response to Deepak Kumar

‎02-26-2018 06:51 AM

Hello Deepak,

 

Thanks for your reply

 

I tried your suggestion and i am able to ping from 10.10.x.x to the 192.168.1.189 but not able to access the webpage. Should we add a NAT ?

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to kar

‎02-26-2018 07:22 AM

Hi,

NAT is not required.  What error message are you getting? 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
kar
Level 1
Level 1
In response to Deepak Kumar

‎02-26-2018 08:38 PM

Hello Deepak,

 

It points to the cisco router administration  page .Below is the screenshot 

Capture.PNG

The default gateway is 10.10.0.1 and ip address is 10.10.1.x subnet mask :255.255.254.0, DHCP is configured on the Router.

 

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to kar

‎02-26-2018 09:25 PM

Hi, 

It is strange to see. Can you share the tracert command output from your desktop?

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
kar
Level 1
Level 1
In response to Deepak Kumar

‎02-26-2018 09:42 PM

Hello Deepak,

Here is the tracert 

 

Tracing route to 192.168.1.189 over a maximum of 30 hops

1 2 ms 1 ms 8 ms 10.10.0.1
2 89 ms 42 ms 78 ms 192.168.1.189

Trace complete.

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to kar

‎02-26-2018 09:46 PM

Hi, 

As per your tracert output, it is working fine. 

How are you trying to access your web server? Is it with 192.168.1.189 or Internal DNS name or Public DNS name or IP?

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
kar
Level 1
Level 1
In response to Deepak Kumar

‎02-26-2018 10:47 PM

Hi,

the idea is to use a dns name.Currently i am accessing it  directly from the IP address.

 

We have couple of website which we can access from outside, for example from home. The webserver is hosted in-house. So to access it from outside we have a NAT

for example :

ip nat inside source static tcp 192.168.1.x 80 interface GigabitEthernet0/2 80

 

interface GigabitEthernet0/2
description $ETH-WAN$
ip address publicIP 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

 

We have an internal dns server  on 192.168.1.x

 

Here is the network connection details from my desktop:

ip: 10.10.1.77

subnet mask : 255.255.254.0

Default gateway : 10.10.0.1

DNS server 94.x.x.x  192.168.1.x

 

The issue is we cannot access it from 10.10.0.x network . Though we can ping now, but not the webpage

 

Hope I am not creating a confusion. Let me know if you need more information.

 

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to kar

‎02-26-2018 10:55 PM

Please share the output of below commands,

 

1. Sho ip route

2. Sho IP access-list

 

try to access the web server from desktop 

10.10.1.77 and type below command:

 

3. sho ip nat translations | include 10.10.1.17

4. sho ip nat statistics

 

Do you have any crypto map configuration?

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
kar
Level 1
Level 1
In response to Deepak Kumar

‎02-27-2018 12:38 AM

Hello Deepak,

 

I am able to access the webserver/website , as I quickly recreated another one with no domain name and I am able to access. So your access rule works. Thank you for that

 

Now the issue is if we access the website from a domain name or IP address which has a domain name it gets resolved to domain name and points to cisco adminstration page

 

 

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to kar

‎02-27-2018 01:01 AM

Hi, 

for that issue, you have to configure the Hairnet on your router. So now you have two option 

1. Configure your internal DNS server for your public domain name with your local LAN IP.

2. Configure HAIRNET option on the router. 

 

Don't forget to give a vote.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
kar
Level 1
Level 1
In response to Deepak Kumar

‎02-27-2018 02:19 AM

We have configured are internal DNS server which is on 192.168.1.4 with record name which points to 192.168.1.189. So we need to have a access list so 10.10.1.x subnetwork can access the internal dns server too which is on 192.168.1.4 ?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card