06-12-2007 02:05 PM - edited 03-03-2019 05:24 PM
hi all. We have a router which connect to internet. Behind the router (our internal network) we have two server which one has access from internet and has web server http://www.server.com.
How to our internal user can access to this web server via one external web name like http://www.server.com. Another saing external and internal user can access to this web server from one name http://www.server.com. From internal We have ping for his external ip address but can't web access to it.
this is config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RVG
!
resource policy
!
ip cef
!
no ip domain lookup
!
username xxx privilege 15 secret xxx
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxx address y.y.y.y
!
crypto ipsec transform-set tb_TRANSFORMSET esp-3des esp-md5-hmac
!
crypto map tb_CRYPTO 1 ipsec-isakmp
set peer x.x.x.y
set transform-set tb_TRANSFORMSET
set pfs group2
match address 101
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address x.x.y.z 255.255.255.248
ip access-group to_outside out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map tb_CRYPTO
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.16.9.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip nat inside source list 150 interface FastEthernet4 overload
ip nat inside source static tcp 172.16.9.101 22 x.x.z.z 22 extendable
ip nat inside source static tcp 172.16.9.101 53 x.x.z.z 53 extendable
ip nat inside source static udp 172.16.9.101 53 x.x.z.z 53 extendable
ip nat inside source static tcp 172.16.9.101 80 x.x.z.z 80 extendable
ip nat inside source static tcp 172.16.9.101 443 x.x.z.z 443 extendable
ip nat inside source static tcp 172.16.9.102 21 x.x.y.y 21 extendable
ip nat inside source static tcp 172.16.9.102 22 x.x.y.y 22 extendable
ip nat inside source static tcp 172.16.9.102 53 x.x.y.y 53 extendable
ip nat inside source static udp 172.16.9.102 53 x.x.y.y 53 extendable
ip nat inside source static tcp 172.16.9.102 80 x.x.y.y 80 extendable
ip nat inside source static tcp 172.16.9.102 443 x.x.y.y 443 extendable
!
ip access-list extended to_inside
permit tcp any host x.x.z.z eq 22
permit tcp any host x.x.z.z eq www
permit tcp any host x.x.z.z eq 443
permit udp any host x.x.z.z eq domain
permit udp any host x.x.y.y eq domain
permit tcp any host x.x.y.y eq 22
permit tcp any host x.x.y.y eq www
permit tcp any host x.x.y.y eq 443
permit udp host x.x.x.y host x.x.y.z eq non500-isakmp
permit udp host x.x.x.y host x.x.y.z eq isakmp
permit esp host x.x.x.y host x.x.y.z
permit udp any host x.x.y.z eq domain
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
ip access-list extended to_outside
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
!
access-list 101 permit ip 172.16.9.0 0.0.0.255 host 10.0.154.27
access-list 101 permit ip 172.16.9.0 0.0.0.255 host 10.0.154.28
access-list 150 deny ip 172.16.9.0 0.0.0.255 host 10.0.154.27
access-list 150 deny ip 172.16.9.0 0.0.0.255 host 10.0.154.28
access-list 150 permit ip 172.16.9.0 0.0.0.255 any
thanks before
06-12-2007 02:55 PM
Hi,
I have got ur question but still iw ould need some clarifications.
1. Ur internal users also wants to access the webserver using name to resolve from internal lan on which the webserver is... right ?
2.Can u pls tell if users from exyernal are able to access the webserver?
3. what is the ip of the server ?
4. what is this ip: 10.0.154.27 & 10.0.154.28
5. 1 more thing if the server also lies in the same range as your internal lan segement that is 172.16.9.0/24, then u have to see to it that you dont overload the server IP while using dynamic natting(overloading).
Pls reply, so that i answer your doubts.
Regards
06-15-2007 04:10 AM
1|2)User from external can access to the web server no problem
But User from internal can't access to the web server for http protocols, even he write external ip address in address bar.
Can't access with ssh telnet except ping.
4) this is hosts which internal user can access with vpn connection from router itself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide