Cisco WAN :: 2901 / DMZ Public Web And Dns Servers - NAT Configuration?
Jun 24, 2011
We have a Cisco router 2901 with 10M dedicated link on Gi0/0 interface, 3 VLANs on Gi0/1 interface. The Gi0/1 is subinterfaced for default, LAN and DMZ segments.LAN is assigned 172.16.1.0/24 and DMZ 192.168.1.0/24. We host a web server (192.168.1.11) and dns server (192.168.1.18) on DMZ VLAN. On the same WAN interface we have confiugured PAT and NAT. For outside queries to DNS and WEB servers everything works fine but when we try to open the website on our web server from internal LAN, we can´t do it.
When PINGing the web server by its IP address 192.168.1.11 or by the FQDN, the requests respond fine. The domain.com and [URL] resolve and respond with public IP address of our WAN link as the DNS server is configured. But when we try to open [URL] in the Internet browser the website does not open.
What could be the issue? Can be anything with NAT or PAT configuration?
I am trying to come up with a config for implementing QoS over a 512 kbps WAN link that will traverse voice and data traffic for now. I am using a Cisco 2901 router with 15.1(3)T IOS on it. my config is below
class-map match-any DATA-PRIORITY match protocol citrix match protocol sshclass-map match-any VOICE-CONTROL match protocol skinny match protocol mgcp match protocol h323class-map match-any VOICE match protocol rtp audio class-map match-any ANY match any [ code]...
THE ISSUE IS : when i add in the service-policy output WAN- QOS- POLICY command , i get the error " insufficient bandwidth 256kbps for bandwidth guarantee (180)". if i take out the " bandwidth 512 " command out then i get no issues adding the above command on interface g0/1
I have just purchased 2901 with HWIC-16A and 2 CAB-HD8-ASYNC Terminal Server to manage 16 (connect via console) cisco deivces.
Plese find attached the config file. I could not find proper docs on setting up this device as a terminal server. I have followed the following link but did not work.
[URL]
There are 16 Async (0/0/0 - 15) interfaces and also the following lines. line 2line 0/0/0 0/0/1line 0/0/2 0/0/15
How can I connect to other Cisco devices via the terminal router?
I'm new to routing and cisco in general. I'm inheriting a rather simple setup but would like to approach the next steps with a good strategy. Currently we have a 2901 router with public IP's on bother interfaces. The internal facing interface is our gateway for some webservers and a firewall. Not we are looking to add a colocation site and establish a site to site VPN using another 2901. My goal is to have the colocation use the same internal 10.100.0.0/23 network. My question is what is the best way of going about this since the router at the main site has public IP's on both interfaces? Do I need to multi-home the internal facing interface? If so, what else needs to be done?
Upgrading from a PIX 515 ,V6.2, I can get internet traffic out through the ASA , but no traffic in to the servers. The NATS are the same on the old firewall. The routers outside the firewalls are doing further natting from the .253 netwrok to a publilc address. No changes have taken place on the routers. [code]
I have to install and configure two 2901 routers at different location with high availability. These 2 routers would be connected through WAN, now I would like to configure high availability bwtween two routers.
I have attached a small diagram of the placement of 2 routers.
how do I configure high availability between these 2 links or routers.
I have a situation where we have a single DMZ server currently statically forwarded to a single public IP. TCP ports 80, 443, 8080, 8500, 53, and 21 are open to this server via an access list.
However, we have added an additional server to the DMZ, and because our web developers did not communicate with me beforehand, we are forced to use the same DNS name (thus, the same piblic IP) for this server. This server only needs traffic on TCP/8800 forwarded to it.
I am using ASDM 6.4 for configuration of this, as I am required to take multiple screen shots of the procedure for our change control policy.
My question lies in the reconfiguration of NAT/ PAT. Since our current server has a single static NAT to a single public IP, it is simply natted for "any" port. I understand that I can add the new server as an object, and only PAT it on TCP 8800, but will I then have to go back and reconfigure the first server multiple times for PAT, or will the ASA notice the specific PAT, and forward 8800 to the new server without affecting the existing "old" server?
It appears ASDM will not allow me to put multiple ports into a single network object. I am assuming I will need to add 6 separate object translations for the "old" server based on TCP port, and 1 object translation for the "new" server, correct?
What should I do to get the SIP and 8080 port working on my Public IP, likewise just as access from my browse the http://189.xxx.xxx.129:8080 and get through directly to my internal server 10.xx.xx.61 ?
I have a Cisco ASA 5510 that was set up as a VPN server for working remote. I have disabled split tunneling so that all traffic created while VPN'd in goes through the ASA. The problem I'm having I believe would be resolved if I enabled split tunneling but I would prefer another solution. Now..for the problem.When a user is connected via VPN, they can hit all intended devices both public and private accept servers that have static NATs in the FW. So Server A has a public of 1.1.1.1 which is one to one mapped to private address of 10.1.1.1. Now if the remote user brings up a browser and goes to 1.1.1.1 it wont work. The FW gives me a error which is posted below. However, using the private IP of the server works. I thought about trying to manipulate DNS to resolve this as the remote users are using URLs and not IPs when trying to reach these servers but again, was hoping I could resolve the NAT problem that the FW seems to be having.
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:192.168.202.100/49238 dst INSIDE:1.1.1.1/80 denied due to NAT reverse path failure 192.168.202.x/24 is the remote vpn ip given via the ASA.
Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.
We have created a sample configuration for ISRG2 2901 Router. The sample configuration is long, and with copy/paste it is possible to skip some lines, and it is difficult to ensure the configuration of every device is standardized due to this error possibility. What we are trying to achieve is first create a template from this sample configuration file, and then create configuration files for each device seperately and automatically. After creating this configuration instances, we want to be able to distribute the configuration files (and possibly the ios) to the devices during the staging phase. Since there are about 1000 2901 routers, creating configuration files is important?
From searching we have found the following tools:
1) CCE (Cisco Configuration Engine): This tool seems to be very efficient for distributing the created configuration files. We may use the serial number of the device, and it provides almost zero touch provisioning of the configuration files to the devices. Creating the configuration file from the template seems to be manual, i.e enter the ip addresses of the interfaces, the routing tables one by one for each device. How can we use velocity template for device configs?
2) Ciscoworks LMS Prime: It is possible to create a baseline template for the devices, and after getting the backup configuration of the routers, it is possible to compare the actual configuration of the device with the baseline template, and understand if there is any difference with each other. This is indeed very useful in order to keep the configuration standardized, we again could not find a way to create bulk configuration files from the baseline template.
3) Solarwinds Config Generator: This tool is useful for creating a configuration file from a template, but again not for automatically creating configuration files, and needs manual intervention.
4) Excel Macro: It seems that some people have achived to automatically create configuration files with using an excel macro, but we could not find a procedure or tip of how to achieving this.
5) Pearl or TCL/TK Script: Again since we are not software developers but from networking field, it is difficult to achieve a working form of this scripts or codes due to to lack of documentation and development experience.
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4 -Need to PAT several ports to three separate servers behind firewall -One server houses email, pptp server, ftp server and web services: 10.1.20.91 -One server houses drac management (port 445): 10.1.20.92 -One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
Having a problem configuring my new 1941 Router. The 0/0 interface is attached to my broadband and gets it's ip via dhcp, the 0/1 interface is connected to my lan and has a dhcp pool. My problem is that the 0/0 interface does not appear to be getting any dns servers. So i have either missed something or need to add the dns servers manually to my dhcp pool. Below is my config,
Company has implemented a 3750x with older Lexmark Pro print servers on new V lan configuration for printers. Causing print servers to lose connection. Have to reset constantly. Have tried to configure print server ports to full. Also new Nexus 7000. Perfect scenario is network devices.. not there yet.
My router/modem is a DSL-2740BI created a hostname [URL] At my service provider I was able to create a DNS setting where I specified my routers IP address.In my router I think I created a port forward (TCP port 8080 on both external and internal) with the ip address of a small "web server" (an Arduino module for home automation).When I enter my hostname I get to see my router config page instead of my "Arduino page".
One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them.
Local Network - 10.10.9.0/24 Remote Network - 20.20.41.0/24 Remote Peer - 20.20.60.193 .ASA Version 8.2(5) ! hostname ciscoasa
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.
Private Servers Segment: 192.168.4.0/24 (there is no DHCP all servers' IPs are statically configured) DMZ Segment: 192.168.3.0/24 (This is a future deployment) LAN Segment: 172.17.0.0/16
Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the 172.17.0.0/16 Network and they are connected to the ASA5520 via Metro-E.
I do not know if this is possible but what I want to do is this:
In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:
The FTP server in the DMZ has the IP address: 192.168.3.100. But when a PC from the LAN wants to reach the FTP server it should points to its old IP: 192.168.4.100. This way the PC sends a packet to the ftp.corporate.net (192.168.4.100) the ASA recieves the packet and translate it to the (192.168.3.100) and send it out through the DMZ Interface.
Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.
I Have exented vlan 120,121 from DC-1 to DC-2,the DC-1 and DC-2 are connected using L2 Trunk over fiber terminated on Cisco 6513 on both site ,the distance around 40 Km ,on the DC-2 i just assigned server-1 TO VLAN 120 while server-2 in vlan 121 ,but these servers unable to communicate neither with DC-1 Servers or betwen them locally on DC-2 ,pls note that the servers at dc-2 rely on DC-1 for routing.
i'm trying to connect 5 servers together to create a private network.Each server has a network of it's own and i'm trying to make all 5 servers communicate with each other to share and search data simultaneously..
I have a 1-Port 3rd Gen Multiflex Trunk Voice/WAN Int. Card - T1/E1 in a 2901 that I want to configure for data only (T1 connection to the Internet)I don't see any options in the IOS for using this thing as a serial interface (data), only options for configuring PRI/ISDN.
I have a Cisco ASA and a 2901 Cisco Router connected via site-to-site VPN. The ASA can ping over the VPN to computers behind the router, but the router can not always ping to computers in the ASA network. When i ping from a computer in the IOS router's 10.100.36.0 network the requests times out most the time; although every few minutes, i will get about 10 pings back, then stops working again.
I uploaded their two configurations.
The ASAs public IP is 20.20.20.5 and local (inside) network of 10.101.36.0/24 The IOS routers public IP is 20.20.20.10
There are many internal networks, but 10.100.36.0/24 is the one with issues.
I try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks. [code]
How do I disable fragmentation on a 2901 router? I want it to simply drop packets oversized packets.In my lab, I am trying to test various MTU issues. I'm trying to use a 2901 router to simulate the WAN equipment that my WAN provider would deploy in production. In production i'm expecting the WAN to only support an MTU of 1320 with no fragmentation at all.
Physical devices are a Cisco 2901 (CISCO2901/K9) with GE0/0 configured as 192.168.1.1 Connected through a D-Link DGS-1210-24 configured as 192.168.1.202 Running on a domain with an HP domain server as 192.168.1.2
The 2901 was an EHWIC (VA-DSL-A oPoTS) on EHWIC 0/0/0 GE 0/0 on the 2901 is physically connected to the DGS-1210 which is physically connected to the server. VDSL 0/0/0 is physically connected to the DSL jack.
So far the configuration reports all is connected, and I can ping the gateway of our ISP (using CLI or Cisco CP); however the server reports no internet connection and no workstations can access the 'net.
Once connected; I'd also like to allow ports through for use on the network (25, 80, 110, 443, 987, 1723) - but not sure on how to do that just yet!
Our IP is 202.27.19x.19x Our Gateway is 202.27.217.5
I have recently bought cisco 2901 in order to replace it with our 1811W that we have at the moment.When I try to set a failover / backup with rtr; it seems like the function is not valid.Once I select rtr and set the object #, the reachability command is not available.Does that mean this function is not a part from the license package I have?
I have inherited a setup for a custom application and would like to know if this is the only way this could be set up. How would you do it?The application uses dedicated T1 links to our vendors. There is a Cisco 2901 router in the middle providing the connections. Traffic to specific vendor's IP's are routed to their prospective connections. I have attached a network diagram and a config for the 2901. The way my predecessor(s) set this up, each different vendor uses a different private IP address for the internal links. This seems odd to me. Shouldn't there be a way to have only one subnet on the inside and have the links NAT depending on which route it takes? The servers have persistent routes built in them to send vendor traffic to the associated IP on the router. E.g., traffic to Vendor 1 is routed to 192.168.50.1, the 2901's IP address for the Vendor 1 network. That traffic is then NAT'd to an IP address associated with Vendor 1's link and the 2901 then routes the traffic to the Vendor's end of the link.
I would think that I should be able to revamp this so that internally we're only using one subnet and the traffic could NAT at the link associated with the Vendor. I recently had to add the 3rd vendor connection, and wound up having to duplicate what was done for the other two in order to get it working quickly. I didn't have the time to wrap my head around the best way to revamp the whole thing.
I recently obtained a 2901 router running 15.2(2)T to replace my old 877 which was running 15.1(4)M1. The 2901 is humming along quite nicely but I have had difficulty configuring one feature which was working fine on the 877. The router needs to be a PPTP client to a hosted VPN service. On the 877, I had it configured like this: [code] I then had a dialer interface to actually set up the connection, and some PBR to control what went over the VPN. All well and good, and it worked fine. But on the 2901, when I try to configure the same thing, there is no such command as "protocol pptp" -- the only option is protocol l2tp.Was PPTP support deprecated somwhere between 15.1 and 15.2, or does the 2901 itself not support it for some reason? Obviously I understand that l2tp is superior to pptp, but at the moment this is my only option.
I have one router 1841 in which i configured PBR for internet traffic from LAN. I hv two ISPs few server are configured for ISP1 and few for ISP2.I planned to shift my existing setup at 2901 G2 router. when I am configuring the same config on this router so traffic is passing through only from one ISP not from other, if I troubleshoot so I see that the interface which is connected with ISP2 is not getting any input/output packet.
Config is here: ========== interface FastEthernet0/0 description ****** ISP2 ****** ip address 203.xx.xx.110 255.255.255.248
I try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks.
