Cisco WAN :: 2821 / When Web Server NAT 'd Access From Internal LAN
Mar 26, 2012
For a config on a 2821 router with IOS 15.1?I've setup an internal web server and am able to acccess it from outside our network but not from inside (on a separate internal LAN - 192.168.10.0). When on the internal LAN - DNS points to the Public IP for the web server - so we'd need to route through the Public IP to access the web server.
What is the best way to allow access to the web server XX.XX.XX.231 from 192.168.10.0 network?
Related Config Lines to Allow Access to Web Server
NAT
ip nat inside source static tcp 192.168.1.230 80 XX.XX.XX.231 80 extendable
ip nat inside source static tcp 192.168.1.230 443 XX.XX.XX.231 443 extendable
ACL
ip access-list extended WAN
permit tcp any host XX.XX.XX.231 eq 443
permit tcp any host XX.XX.XX.231 eq www
The router is 2821 and is setup to perform static NAT from one internal ip address mapping to one external ip address for each of our servers (inside the LAN): [code] Servers all have internal ip addresses and each of them represented to the outside world by their public ip address with above command on the router. Here is the problem.When I'm in a server (for example 192.168.0.210) and try to access other servers by their public ip addresses (i..e. *.*.*.211) the connection fails. However, When i try to access the same server by it's private IP address (i.e. 192.168.0.211) it works!
My issue is i don't want to modify windows host file for a manual mapping (for example mail.mydomian.com goes to 192.168.0.211 rather than *.*.*.211) because we host many domains and just doesn't make sense to do it one by one.So we must be able to access our servers by their public IP addresses in order for us our applications works correctly.
We have 6 brnaches configured with NAC Module in Cisco 2821 ISR router. The WAN link being used to connect all the branch to the HQ CAM is via WIMEX wireless Broadband. The bandwidth is 2MB.OOBVG is the mode used. All branches were working well last 1 year. Last month it is suddently disconnected from the CAM.I opened the TAC. Cisco history of TAC experience, We have total 6 TAC enginners tried one by one still the problem not resolved. The following are the findings
1. Timing is accurate between CAS-CAM 2. Shared secret key correct 3. SSL temp certificate ok also image being used it 4.6.1. 4.Tcpdump from both CAM and shows some initial packet drops of 10 sec with the below CAM log
I believe that NAC is not a matured products and the problem like this even by Cisco TAC can not solve.
I tried the solution posted at [URL] however it did not work on my ASA5505 8.4(2). I thought that it may be because I only have a single public address so the web server is responding to port forwarding through the one public IP already. looking in ASDM it appears to indicate that a configured access list is blocking the server from responding to the internal hosts.
Can I fix an access list (or something) to make this work or am I wishing for too much with only one public IP? This worked by default on my Netgear firewall.
I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.
I running site-to-site IPsec VPN in Cisco 2811 IOS 12.4 both site. Here I encounter a problem to access server on Site A from Site B
Site A having Leased Line connected to router with Public IP. I have done static mapping 1 web server to Public IP (NAT). This to allow external users to access the server via Public IP. At the same time, users at Site B would need to access to same server via Internal IP since they have Site-to-Site VPN established. But once I done Static Mapping (NAT), user at Site B unable to access the server at Site A using its internal IP. But external user can access server via Public IP. What went wrong here. Do i need to add extra command to get this done?
i cant resolve one problem in may 1921 isr router, i have a web server in my internal lan , i set up static nat for accessing that web server from outside and it woks fine but i cannot view that site from internal workstations can you suggest me what to do. as i know when request gets to router it performs static nat and sends packet to the web server, but the server responds with its private source address instead the public address witch workstation expects and connection cannot established.
It's been a while since I've done a lot with a PIX config so what is the best way to allow access for 2 IP addresses that need to RDP into a server here inside our network. They also wanted to have ports redirected, 3391 to 3389 and 3397 to 3389.
I had an Linksys WRT54GS and this wireless is connected to a switch in an internal enviroment but i want connect guest users without them see my internal network and can't access to any internal server....how can i configure this?
What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?We want to pull more information from the edge router like netflow. We can use SNMPv3 and ACLs to keep the router secure.
But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.I am running an ASA and a 2821.
Currently i am having a scenario where i have setup RV042 and which is connected to Microsoft Forefront 2010. PPTP works fine only on rv042 subnet but i am not able to access the "internal" network of TMG.RV042 (172.16.1.1) ---> TMG [external] (172.16.1.2) ---> TMG [internal] (192.168.1.1) Is there any way through static route to access the TMG internal network through RV042 pptp server?
We are using a 2821 Router as our boundary router. It has installed into it a 9 port HWIC for layer 2 switching as well as allowing the router to communicate on the Network Management VLAN. All of the devices on the Network Management VLAN are segregated from the managed traffic, which unfortunately also doesn't allow them external NTP services. Can the router be programmed as a NTP server so that all of the network appliances can utilize it for NTP from either it's NM Vlan IP address or from a loopback address?
I have a 2821 ciso router and i want to setup a vpn for my windows domain users , they must to reach the domain from outside. There is posibile to intregrate Active directory auth with pptp running on 2821 router? kind of dialin via radius server(IAS running on windows server 2003).
my laptop sometimes gives a 500 internal server error when I try to go to any website. our other wireless devices such as our phones don't do this while the laptop is.
I have nated my 172.81.15.0 255.255.255.0 into my internal server 10.1.10.164 , i can ping the out side server but the internal server is not accessible from out side static (Database-Servers,interface-sms) 172.81.15.2 10.1.10.164 netmask 255.255.255.255icmp permit 172.81.15.0 255.255.255.0 interface-smsroute zemen-sms 172.81.15.0 255.255.255.0 10.131.199.201 1access-list Database-Servers-in extended permit tcp host 10.1.10.164 host 10.185.62.144 eq 9090access-list Database-Servers-in extended permit tcp host 10.1.10.164 host 10.185.62.144 eq wwwicmp permit host 10.185.62.144 interface-smsi can ping the out side server 10.185.62.144 with out a problem . from the server 10.185.62.144 i can ping untill 172.81.15.2 and it will not ping the natted server 10.1.10.164. as u seen the accesslist ping is permitted.
The RV082 is a great unit, however when VPN clients connect the QuickVPN Client has a setting to use the Remote DNS settings of the RV082. The RV082 has no way of linking or using a user-defined DNS. I have an internal DNS Server that I would like the VPN Clients to query on internal name lookups (kindof the point of having client vpn, so they can access internal network shares etc. On the diagnostic page the ping and name resolution can only check external DNS and internal IP's. Wouldn't it make sense to at least make the RV082 aware of internal DNS Servers? Then the Ping and DNS lookup would be able to test both zones? Is this something that can be looked at by Linksys Developers for this product? The WRV210 (a cheaper and lower level model) has this functionality.
Problem about authentication in VPN 3000 but until now I haven't had return on neither of the post maybe those I'm more clear than others.
I have a VPN 3000 with PPTP Tunnel VPN and the first authentication option is on Server Radius:
Configuration > System > Server > Authentication is firstly the Server Radius and after Internal ( Authentication on Base Group Internal )
But, when I configure a user in User Management > User it isn't work. I think that authentication order is firstly Radius and if it don't find the second option is processed which ( this case ) is Internal server. but don't occour the error in log is:
I need to configure my ASA 5520 version 7.3 firewall to translate our SMTP server residing in local LAN to use different IP address from the outside interface which is used by all other computers to access Internet. Under NAT section, I have NATted this internal SMTP server with different IP address(eg x.x.x.1) and also translated the remaining IP addresses in the LAN to the outside interface(eg x.x.x.2)
my problem is, Whenever i check the header for message coming from the smtp server it shows that, the SMTP server is also translated by using the same outside interface public ip address(i.e x.x.x.2) which is used by other client machine to access internet instead of the x.x.x.1. How I can get my SMTP server to use separate IP and avoid to be blacklisted by some domain.
I write here to see if some kind soul can not solve my problem (which is common to seeso many people around the world). problem: I have a mail server (192.168.1.17) configured static NAT because it is accessible byPublic IP (PPP.PPP.PPP.PPP). Everything works properly from the outside, but if I get my Mail server (on port 443) from the internal network (192.168.1.xxx) there 'verse. This configuration is called Nat inside-to-inside is done by default by some SOHO routers(such as the TPLINK from 25 euros) but Cisco did not succeed. I search on the internet for 2 days without a get nowhere. PS: I have a Cisco 1801 router. (or 1941 as another router).
I have a client in a workgroup environment. They are a small company with perhaps twenty systems. Their infrastructure consists of a Dell Switch, a Cisco ASA-5505 which hands out the DHCP and a router. And that's that.They have been using an external IP as their DNS Server to get out to the Web. However, they now want to add an internal Linux-based DNS server.In looking through the ASA-5505 today I noticed a field for DNS enteries. Is this where the IP for this new internal DNS Server (in the secondary DNS field) would go?If so, would it be necessary to reboot the ASA-5505 for this change to take effect?
I'm new to the Cisco world and have so far got internet and VPN working (without SDM) using the IOS commands.I have hit a stubling block with port forwarding ports 80 (http) and 443 (https) to my small business server for outlook web access.I need to forward port 80 and 442 to internal LAN server 192.168.10.1.The Cisco 877 has a local IP address of 192.168.10.254. [code]
The first one I use to provide internet access to my office. The other two I'm going to use for the following: I'm going to deploy a server in internal network which must have 2 external ips on his network interface (& one internal ip on the second,but that's ok: I cannot put an extra network switch before asa & plug this server there: this server is virtual & is on esxi host in internal network. External ips must be assigned to servers' interfacw,bot just forwarded there (ms direct access requirement).
We have setup a new internal web server so now we have two internal web server and both or hosting sites on port 80. Currently we have port 80 forwarding to one of the web servers and users are able to hit it from the outside.
Is there any way to configure the RV042 to route web traffic to the correct web server by using the site name or dns? If a user puts in the address{URL}, be routed to one web server but if they put in {URL}, be routed to our second web server. I've checked with our vendors and the both web servers applications need to run on port 80. If we have forwarding setup on the RV042 to forward port 80 to web1 then users can't access web2 from the outside?
I am hoping to get your feedback around the dhcp issues I am facing with Two Centrally Switched Wireless LANs. The setup is as follows:
- I have a WLC 5508 which has been configured with 4 SSIDs, out of which 2 are using Central Authentication and Switching. - I have an LWAP connected to the WLC in HREAP mode. - WLC is configured as the DHCP server for clients connecting to the SSID 'Guest'. For the rest, I am using external dhcp server. - Only one scope for Guest Interface is setup on the WLC.
Problems: 1. As far as I know, for WLC to act as internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to SSID 'Internet' are unable to get an ip address from the external dhcp server, if dhcp proxy is enabled on the WLC. If i disable the proxy, it all works fine. 2. DHCP does not release the ip addresses assigned to clients even after they are logged out. 3. If a machine which was earlier connected to 'Guest' SSID connects to the 'Internet' SSID, it requests the same ip it was assigned by the WLC which it was assigned under 'Guest', but gets tagged with the V LAN configured on the management interface.
************Output from the Controller******************** (Cisco Controller) >show sysinfo Manufacturer's Name............. Cisco Systems Inc.Product Name................ Cisco Controller Product Version................. 7.0.116.0Bootloader Version................ 1.0.1Field Recovery Image Version..................... 6.0.182.0Firmware Version..... FPGA 1.3, Env 1.6, USB console 1.27Build Type.......... DATA + WPS + LDPE [code]...
A client wants us to use the internal DHCP server on a 5508 instead of Windows DHCP. They will have 15 APs initially and upto 25 later. The docs on the 7.2 WLC make it sound like this is discouraged: Internal DHCP Server.
The controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with the access points on the same IP subnet as the controller.
In this case, the APs will not be in the same subnet as the Managment Internet.Is it a mistake to use the internal DHCP with upto 25 APs (3 WLANs)?
I have a hosted web server that has a website on it that needs to connect back to a database within our internal network. We have a Cisco WRVS4400N Wireless Router with 2 VLANS. VLAN 1 goes to a Watchguard Firebox which is connected to our internal network. VLAN 2 goues to our classroom network.
Our database is on VLAN 1. I have opened port 1433 on the Watchguard to allow SQL traffic from our Web Server. I can telnet from my workstation on VLAN 1 to the Web Server over port 1433, so I know the Web Server is not blocking anything. When I try to telnet from the Web Server to our Public IP address over port 1433, it fails.
I believe I have the firewall on the Cisco WRVS4400N off, so it shouldn't be blocking any traffic, but for the life of me I can't get this to work. I have been working on this for two days, and I NEED it to work. This was working up until last week, then it quit working. I am the only person making changes to our network, and there were no changes made during that time.
This isn't a big deal as the rest of the ACL works fine, but this is an annoynace since the web auth redirects to our company website (internal for now) after successful login.We have a Cisco WLC that provides access to our production and guest wireless environments. The guest environment of course is in a separate vlan (10.10.50.0/24). So I created this ACL:
access-list 107 permit udp any host 10.10.2.13 eq bootpc <----internal DHCP server access-list 107 permit udp any host 10.10.2.13 eq bootps access-list 107 deny ip any 10.10.0.0 0.0.255.255 <---all internal networks access-list 107 deny ip any 172.28.16.0 0.0.0.255 <----DR Network access-list 107 permit ip any any int vlan 50 Desc "Guest wireless network" ip access-group 107 in
This ACL basically gives the wireless guests access to an internal DHCP server and full access to the internet. For the 10.10.50.0/24 scope, the DHCP server assigns Internet DNS servers and my rationale is that wireless clients would access it via the external IP address but I suppose it doesn't work quite like that with the website being behind the same router as the client machines.
We have 3 internet links from different providers connected to configured WAN 1,2,3 in RV016. A remote client needs to connect to a internal VPN Server behind RV016, so we use one-to-one NAT to publish the internal server ip to a Valid IP from WAN3 and setup protocol binding in Multi wan to all trafic (TCP and UDP) from the internal VPN address exits with WAN3.
So, the remote client tries to connect to VPN using this ip Address from WAN3 and sometimes work and sometimes not. It's clear to us that the problem lies in the response from RV016 not coming always from WAN3, because if we disconnect the two other links (WAN1 and 2) Its works flawless.
setup a DHCP server on a WLC 2504. I'll try to resume my configuration:
I have 2 networks: inside users (vlan 1) and external users (vlan)
My controller uses the port 1 to connect to the switch, which has a trunk with WLC.
I have two routers, one using vlan 1 (192.168.3.0/24) and one using vlan 10 (200.X.X.X). All ports to these routers are access ports on their respective vlans.
I have 2 SSID, one for inside, other to outside. Inside is working very well.
To the outside I created a DHCP escope and already set the IP of the management interface 192.168.3.119.
I am trying to setup a guest vlan. I set up an interface for the guest vlan on my 4402 controller. I assigned the guest vlan interface an IP of 192.168.2.10 with a 24 bit subnet mask.
This vlan will go to my DMZ where there is no DHCP server so I need to setup the internal DHCP server. I created a new scope but I'm having trouble with what to put in the Network field for the DHCP scope. The pool addresses are 192.168.2.100-200. with a 24 bit subnet mask.
Every time I try to apply the configuration I get an "error in setting DHCP scope network and netmask".
I've tried using:
192.168.2.10 192.168.2.255 192.168.2.254
as entries for the Network setting but no go. The docs say to enter the IP address used by the management interface with subnet mask applied.
I was assuming they meant the interface for the guest vlan.
One of my internal servers requires it to be available to the internet I am having a hard time allowing it to be NATed through my Ciscc 2801 router. It seems as though im missing something small. From what I can gather it seems as though its as issue with ACL, but im not sure. I have ran the following command: ip nat inside source static tcp 192.168.5.1 ***WAN IP Address*** 8443 extendable Then I tried to add it to the ACL via this command: access-list 150 permit tcp any host ***WAN IP Address*** eq 8443
Here is a copy of my config.
IP 172.19.3.x sub 255.255.255.128 GW 172.19.3.129 Ciscso 2801 Router
