Cisco Routers :: UC540 - Second Public IP Not Accessible From Inside LAN
Apr 2, 2013
I have a client that just got a second public IP (x.x.x.252) for a new program. I've setup that second IP on their UC540 on the public-facing port and it's accessible all day long from the outside, no problem. The problem comes in where users from within the LAN can't see the new public IP at all; however, they CAN get to the original public IP x.x.x.250. I've looked at the rules every which way and can't see anything that either 1) only allows LAN traffic to get to the original public IP, or 2) a NAT rule that only allows the same thing.
[Disclaimer: I just inherited this client and their setup, so other than me adding the IP and opening ports to it, I didn't program it.]
Here is the port configuration:
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 63.234.195.252 255.255.255.248 secondary
ip address 63.234.195.250 255.255.255.248
ip access-group 106 in
no ip redirects
no ip (code )
I can't figure out why .250 is internally-accessible, but .252 isn't. .252 is in the routing table as a directly-connected address, but I also added ip route 63.234.195.252 255.255.255.255 FastEthernet0/0 to the routing table and it still won't go. Everything is controlled by the UC540: The internal servers do not run DNS or DHCP or even a domain. There are no NAT outside rules.
In my client office, We have replaced small business router cisco RV042 with Cisco ISR router 2911, in that router we have configured NAT to allow internal user to access internet and port forwarding for outside user to access web servers and other application that are hosted internally.
we are not able to access [URL] (name changed) from internally and one of the application that are runnning on port no. 8280., and same is working properly from outside the network.other application that running on 8287 is accessible form internally.
We are accessing with ip address http://192.168.1.51:8280. and [URL] not working from inside.
I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.I have attached running configuration for your reference.
setup my Foscam IP cam lastnight on the Wireless network using UnPn and was able to access it fine via the public IP , using another PC on the same network with no issues. However when I tried to access it from work it doesnt connect - Is there a firewall setting that im overlooking?
I'm trying to traverse from my inside private IP address (10.x.x.x) to my public IP address translation (172.16.x.x) in order to take advantage of the ACLs that are already applied on my outside interface. For example:
Host 10.0.0.1, translated to PAT pool Server 10.0.0.5, translated to 172.16.0.1 Inside-out access-list permits ip any any Outside-in access-list permits tcp any 172.16.0.1/32 eq 80
From my inside host, I can get go 10.0.0.5:80. I can get out to the internet. External hosts can successfully get to 172.16.0.1:80 (address scheme is theoretical). I can do everything except for connect to 172.16.0.1:80 (the translated public IP address) from my inside host address. I did not setup this firewall originally, but I can't see a blatant command that makes this not work. I don't see an ACL rule matched, so I'm assuming this is an issue with NAT or some sort of security policy. I'm running a Pix 535 /w 8.0.4. The response I got from Cisco was "create static (inside,inside) translations for every host", but that's over 300 hosts. I have a friend running the same software set and his works as expected without these static (inside, inside) NATs.
The router is 2821 and is setup to perform static NAT from one internal ip address mapping to one external ip address for each of our servers (inside the LAN): [code] Servers all have internal ip addresses and each of them represented to the outside world by their public ip address with above command on the router. Here is the problem.When I'm in a server (for example 192.168.0.210) and try to access other servers by their public ip addresses (i..e. *.*.*.211) the connection fails. However, When i try to access the same server by it's private IP address (i.e. 192.168.0.211) it works!
My issue is i don't want to modify windows host file for a manual mapping (for example mail.mydomian.com goes to 192.168.0.211 rather than *.*.*.211) because we host many domains and just doesn't make sense to do it one by one.So we must be able to access our servers by their public IP addresses in order for us our applications works correctly.
I need to connect from an inside host to a host located in the DMZ zone for DNS queries. The host in the DMZ zone has a static NAT to the outside. The point now is that I would like to connect from inside to the NATed outside address, means to the public Internet address.
Inside host: 10.0.0.1 -> PAT for 10.0.0.0/8 to 20.0.0.254 (Outside Interface) DMZ host: 192.168.1.1 -> NAT to outside to 20.0.0.1
The traffic should be 10.0.0.1 udp>1024 to 20.0.0.1 udp=53. The source IP address on the outside interface now is 20.0.0.254 (according to the PAT), the destination IP address 20.0.0.1. The DNS reply from 20.0.0.1 should go back now to 20.0.0.254 and then to the inside host 10.0.0.1.
I know that on the PIX it was not possible, to have outgoing traffic on the outside interface which immediately enters again the same interface. Can I realize this scenario with the ASA 8.4(3) release now?
I hava ASA5510. INSIDE,DMZ and OUTSIDE interfaces are configured. I hava web server on DMZ ip:10.0.0.1 and it is static natted to 1.1.1.1. From internet i can reach to web server with IP:1.1.1.1 and from INSIDE connect to web server with IP:10.0.0.1. Now i want to connect from INSIDE to WEB server via public IP(1.1.1.1).how can configure it?
How would I go about giving a server on the inside interface of my ASA a public IP address. I have a /28 on the outside interface and I'd like to give a server a public IP and not NAT.
I'd not sure how to go about getting this done.
show run nat= nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.192_27 NETWORK_OBJ_192.168.0.192_27 no-proxy-arp route-lookup(code)
Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100 host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200 host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
On an 887VA running 15.x IOS, is there a way to support both public and private addresses on inside vlans? The outside interface is public static ip, so the requirement would be to not nat anything if coming from inside vlan10 but nat if coming from inside vlan20.I didn't think this was possible since the outside interface would have to use an outside nat command that would not be ignored for traffic coming from vlan10.
We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz.
I recently ( three days ago ) purchased a SRP 527w and have been using it in a mixed Mac/Windows network. The setup is currently primarily using defaults apart from enabling logging. While I was still able to access the internet with some applications, accessing web content appears to have blocked after approximately 48 hours uptime.
No web pages using port 80 were available and that included the router web interface. The router would respond to ping only.
On a different note. I have to say that I find it very strange that the supplied documentation doesn't advise setting up the router using the admin login. It was only after reading one of the comments on this site that I was alerted to this security problem. I also find it rather annoying that I appear to have to purchase additional support merely to be able to download firmware updates which are designed to give the device improved functionality.
I have a DVR system. Which is configure in DMZ on my firewall. DVR internal IP is 192.168.2.13 and external IP is 27.34.xxx.xx. when I am able to access DVR by using internal IP and it works fine while accessing from the internet it not work proper. Though it prompt for username and password also. After enter the login credential its getting blank. I am able to telnet External IP from internet on port 80.
After choosing the option "IPv4 and IPV6 Dual-Stack" in Networking > IPv6 > IP Mode, the router's configuration website is not accessible any more using it's IPv4 address or via remote management (WAN IP). However, all other router services (routing, VPN, etc.) are working fine.
I am facing problem while connecting my VPN server configure at UC540 device. this device is behind my ISP router. i applied port forwording of IPSEC traffice to my cisco device which configured as vpn server. now if i try to connect with my Live IP i get the following error. [code] I test if i connect using 192.168.0.116 internally it works but if i try to connect using my Live IP it trying and trying but not connect..
I currently have a UC540 system with 12x aironet 1130 APs. Seamless roaming does not seem to work, and the recommendation seems to be to introduce a WLAN controller.
setting up a link between a Head Office UC540 and a remote SR520 which I want to use a PC and an IP Phone from. This remote site is the first of several.I've found several examples of site to site IPsec VPNs, but none with references to voice and data VLANs, do I need to worry about this or will the phone just work.
I have created a VPN tunnel between a UC540 and ASA running software version 9.1, I am unable to ping from the outside from a network 192.168.10.0 / 24 coming in on the outside interface to the inside network 172.16.1.0 /24. I have tried various commands and some of them may not be necessary. [code]
We have a new deployment where we have 5 total 7921G wifi phones connected via 2 AP541n access points, one connected to a ESW520p switch and then to the UC540 and the other connected directly to the UC540. The wifi phones are intermittently giving no audio when calling each other, however, calls to the PSTN consistently do have 2 way audio. Is this a security issue perhaps? We are running the latest CCA software pack as this is a brand new deployment, also the AP's were upgraded to the latest firmware.
I have an issue with routing public IPs on the RV042G. I have been able to route the IP's in a couple of different ways, but there is always a nagging problem.
I have a PPPoE Business Class account with 5 routable public IP's. I would like to route the IPs and manage the private network using the RV042G.
Here is what I have tried and the problem that arose: 1) I used 1:1 NAT and the servers responded with no issue. This would be a workable config however I use Kerberos for single sign-on for my clients. To use this security protocol and bind the clients to the server, I must use a public IP on the server machines. In this scenario however, everything else worked fine. 2) I then tried using the DMZ and putting the servers on the DMZ port with a public IP entered in the network config of the machine. That even worked fine and I was excited until I noticed that the servers were reporting the public IP assigned to the DMZ port as their IP when they sent mail. I then ran a test and that is the case. The servers - each with a public IP - are reporting the IP of the DMZ port. I can't have that because the mail servers need to announce a correct IP so the reverse lookup will match. Once again, a little gnat gets in the soup.
I've a problem with Cisco RV082. I want to connect to my public IP from local IP. But it seems it's been block by the firewall.I've added a firewall rules to allow ANY connection from LAN to outside world. But has no effect.
LAN IP : 192.168.1.5.Public IP (which is assigned to LAN IP 192.168.1.5 by One-to-One NAT) : 118.xxx.xxx.xxx
I am configuring this new router for a client. I am running into an issue that I cannot get working. They use 5 public IP addresses. Currently the wan port on the router is .66 and I have all the ports forwarded to the correct internal IPs. This works fine. However I need to forward parts from other public IPs (ex: .67) to internal IPs. So far I have been able to accomplish this via the One to One NAT feature. It allows me to forward ONE port from a public IP to a private IP. However I need to forward 3 or 4 ports per public IP to a single internal address. Does this router not support that functionality?
I've finally set up our RV220W to serve our office network, using the following environment:The WAN is set to a public IP (static configuration), while the internal network consists of two VLANs.VLAN 1 is connected to the cabled network and one wireless SSID, where DHCP is served by our Windows SBS server (192.168.15.x), and this VLAN is used only for our own office. VLAN 2 is connected to a second wireless SSID, where DHCP is served by the RV220W itself (192.168.17.x), and this VLAN is used for guests and visitors to our office.
On a regular basis, we need to use a mobile device to access a test page from a development server on VLAN 1, and the router is configured to redirect connections on a specific port on the public IP to our development server.For VLAN 1, I solved this by overriding DNS for the hostname of this test page to use the local IP for the development server.However, for VLAN 2, there is no way to access this test page.
Is there any way I can configure the router to either redirect these connections, or override the internal DNS so the test page on the development server can be reached also from VLAN 2 (the guest/visitor network)?
I have 2 questions.Om my cisco 2811 (IOS 12.4(15) T9 IPBASE W/O Crypto) i am using 3 interfaces.And i have a pool of Global addresses: 200.x.z.97-200.x.z.126 255.255.255.0
FastEthernet 0/1 description WAN interfaceip nat outsideip address 200.x.y.253 255.255.255.0
If there are any small business routers that offer one-to-one NAT? I have several public IP addresses assigned to me by CenturyLink. I have two servers that provide email and web hosting for two different domains. I want to put the client machines on one VLAN (VLAN Z) and assign it a public IP address (to keep server traffic separate). I want to put each server on its own VLAN (VLANs X & Y) and assign each server its own public IP address. I need the router to be able to provide a firewall and port forwarding for each VLAN. I also need to be able to route traffic between VLANs so the clients on VLAN Z can access their email and the websites on VLANs X and Y. I also need to be able to route DNS traffic between VLANs so each server can provide name resolution for their respective domains.
So, is this possible with a small business router or do I need to look at something different? I'm fairly certain this configuration is not possible with my current Cisco RVS4000. What it boils down to is I need a router that is capable of having multiple public IP addresses on the same interface and to forward those public addresses to private VLAN subnets. This would be one-to-one NAT if I understand it correctly..
I recently "upgraded" to Uverse from DSL. While the speed boost is nice, UVerse comes with a 2wire residential gateway. Unfortunately you can't disable the DHCP functionality in the 2wire router, nor can you disable the router functionality completely and just run it as a modem, which has pretty much made it impossible to integrate into my network.So the partial solution anyway is to keep using the rv082 (yey!) behind the 2wire, assign a public static IP to the rv082 WAN1 i/f, disable the firewall in the 2wire for the rv082, and up and running again.The problem I'm facing now is that I had 3 devices on the LAN that were published using individual public static IPs. With good-ol'-DSL, I could use the one-to-one-NAT feature in the rv082, block any unwanted traffic in the firewall, and everything works. Unfortunately with the configuration options in the 2wire, I can only assign a single public IP address to any one device hooked up to it, in this case the rv082 WAN1 port.i have the one-to-one-NAT configured sequentially on the WAN and LAN side on the rv082 with nothing else hooked up to the 2wire. For example, one-to-one-NAT configuration in the rv082:
WAN range: 66.77.88.91 to 66.77..88.93 LAN range: 192.168.0.2 to 192.168.0.4
The 2wire is allocating the first public static IP in the range to the rv082 (i.e. 66.77.88.91). This works 100% reliably for this address - however because I can only assign a single address in the 2wire interface the other devices are no longer accessible externally. Curiously it kind of partially works, but not reliably. I can briefly connect to one of the other addresses (say xx.92), but then connectivity is lost to the others.Someone suggested I try using the Dual-WAN feature to get at least two addresses assigned to the rv082. Seemed like a good idea in theory, i.e. because the 2 WAN ports have different MAC addresses, the 2wire should see two different devices and allow me effectively to assign two public IPs to the rv082, e.g. 66.77.88.91 to WAN1 and 66.77.88.92 to WAN2. Of course failover mode won't work here, because only one is connected at a time. However the load-balancing mode did seem like it may work, but something is going on that I don't understand. Internal connectivity is working fine and I can access the internet, but for some reason the 2wire is getting really confused and constantly re-assigning IP addresses to the rv082. I don't know if this is because the host name is the same for both WAN1 and WAN2 ports, or there is something in how the rv082 does the load balancing.
- Is there any tricks to getting the Dual-WAN to work in the way needed to essentially have two simultaneous internet connections?
- Would it be possible to buy a 2nd rv082 and have it on the same LAN? How would I configure this?
- Is there an alternative Cisco router that may work better with what I'm trying to do?
The client has a Cisco RVS4000. There are 3 Internet devices need to be accessed from the outside and will use one public IP for one device. I don't see any options to setup on Cisco RVS4000 to do 3 NATs. If Cisco RVS4000 doesn't work in this situation, which router will do?
What I'm trying to do seems pretty basic, but I cannot get it working on the RV180?I have 5 Fixed IPs. Using Access Rules I have configured a few inbound rules with specified WAN Destination addresses and these are correctly port forwarding these inbound ports on the specified Public IP addresses. Perfect!
However, for outbound, I need to do the equivalent for one public IP for outgoing SMTP so that our mail servers public facing address is not the standard WAN address and therefore will not fail a reverse DNS lookup. At the moment I have emails bouncing all over the place and panic has set in. I thought the SNAT option was the soltuion, but that just seems to break traffic flow completely on the specified port. I had this working no problem on my old Netgear, but I had to replace it due to throughput limitations.
