cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3369
Views
10
Helpful
19
Replies

Route traffic from an inside interface to access a web-server on another inside interface on a CISCO 2900

kar
Level 1
Level 1

Hello eveyone,

 

I am a newb on the networking world. We have a cisco 2900 series router. We have configured three interfaces , two inside and one outside.(not done by me :) ) I have attached the running config file.

 

I am trying to give access to any one on the network 10.10.x.x to access a web-server on 192.168.x.x 

I did try couple of changes on the access list , but didn't work.

 

I am not sure if i am doing the right configuration or where to begin from.

 

let me know if you guys need any more information.

1 Accepted Solution

Accepted Solutions

Hi, 

Please try with following configuration:

 

!
access-list 112 permit ip host 192.168.1.189 10.10.0.0 0.0.1.255
access-list 112 deny ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip any any
!
access-list 111 permit ip 10.10.0.0 0.0.1.255 host 192.168.1.189
access-list 111 deny ip 10.10.0.0 0.0.1.255 any
access-list 111 permit ip any any
!
int gi0/1
no ip access-group 10 out
ip access-group 111 out
!

!
int gi0/0
no ip access-group 12 out
ip access-group 112 out

 

 

And @Seb Rupik I can see the ACL 101 is already used in NAT.  So careful.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

19 Replies 19

Deepak Kumar
VIP Alumni
VIP Alumni

Hi, 

there is some confusion, What is IP of the WEB server? and Have you opened the access to complete subnet or only web server in 192.168.x.x from 10.10.x.x subnet?

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi Deepak,

 

Webserver IP is 192.168.1.189 and i want to open access to the web-server from subnet 10.10.x.x

Hi, 

Please try with following configuration:

 

!
access-list 112 permit ip host 192.168.1.189 10.10.0.0 0.0.1.255
access-list 112 deny ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip any any
!
access-list 111 permit ip 10.10.0.0 0.0.1.255 host 192.168.1.189
access-list 111 deny ip 10.10.0.0 0.0.1.255 any
access-list 111 permit ip any any
!
int gi0/1
no ip access-group 10 out
ip access-group 111 out
!

!
int gi0/0
no ip access-group 12 out
ip access-group 112 out

 

 

And @Seb Rupik I can see the ACL 101 is already used in NAT.  So careful.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hello Deepak,

 

Thanks for your reply

 

I tried your suggestion and i am able to ping from 10.10.x.x to the 192.168.1.189 but not able to access the webpage. Should we add a NAT ?

Hi,

NAT is not required.  What error message are you getting? 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hello Deepak,

 

It points to the cisco router administration  page .Below is the screenshot 

Capture.PNG

The default gateway is 10.10.0.1 and ip address is 10.10.1.x subnet mask :255.255.254.0, DHCP is configured on the Router.

 

Hi, 

It is strange to see. Can you share the tracert command output from your desktop?

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hello Deepak,

Here is the tracert 

 

Tracing route to 192.168.1.189 over a maximum of 30 hops

1 2 ms 1 ms 8 ms 10.10.0.1
2 89 ms 42 ms 78 ms 192.168.1.189

Trace complete.

Hi, 

As per your tracert output, it is working fine. 

How are you trying to access your web server? Is it with 192.168.1.189 or Internal DNS name or Public DNS name or IP?

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi,

the idea is to use a dns name.Currently i am accessing it  directly from the IP address.

 

We have couple of website which we can access from outside, for example from home. The webserver is hosted in-house. So to access it from outside we have a NAT

for example :

ip nat inside source static tcp 192.168.1.x 80 interface GigabitEthernet0/2 80

 

interface GigabitEthernet0/2
description $ETH-WAN$
ip address publicIP 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

 

We have an internal dns server  on 192.168.1.x

 

Here is the network connection details from my desktop:

ip: 10.10.1.77

subnet mask : 255.255.254.0

Default gateway : 10.10.0.1

DNS server 94.x.x.x  192.168.1.x

 

The issue is we cannot access it from 10.10.0.x network . Though we can ping now, but not the webpage

 

Hope I am not creating a confusion. Let me know if you need more information.

 

Please share the output of below commands,

 

1. Sho ip route

2. Sho IP access-list

 

try to access the web server from desktop 

10.10.1.77 and type below command:

 

3. sho ip nat translations | include 10.10.1.17

4. sho ip nat statistics

 

Do you have any crypto map configuration?

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hello Deepak,

 

I am able to access the webserver/website , as I quickly recreated another one with no domain name and I am able to access. So your access rule works. Thank you for that

 

Now the issue is if we access the website from a domain name or IP address which has a domain name it gets resolved to domain name and points to cisco adminstration page

 

 

Hi, 

for that issue, you have to configure the Hairnet on your router. So now you have two option 

1. Configure your internal DNS server for your public domain name with your local LAN IP.

2. Configure HAIRNET option on the router. 

 

Don't forget to give a vote.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

We have configured are internal DNS server which is on 192.168.1.4 with record name which points to 192.168.1.189. So we need to have a access list so 10.10.1.x subnetwork can access the internal dns server too which is on 192.168.1.4 ?
Review Cisco Networking for a $25 gift card