Routing with WAN, LAN, and DMZ

Unanswered Question
Sep 7th, 2008

Problem:

I am trying to setup my Cisco 1721 to route traffic from a WAN to two Ethernet interfaces where one is a DMZ and the other is a trusted LAN with NAT. I am having trouble getting the correct configuration built that allows both the DMZ and the LAN to access the internet(HTTP).

Equipment:

I have a Cisco 1721 with an enterprise 12.4 IOS. In the router is one FastEthernet and two Ethernet ports.

Layout:

Eth0 - 10.1.1.1/24 DMZ

Eth1 - DHCP WAN

Fa0 - 192.168.1.1/24 LAN

My current configuration:

The configuration is stripped down. At the moment, I'm trying to get internet(HTTP) access to the DMZ. With this configuration, the LAN has HTTP access but the DMZ doesn't. However, the DMZ can ping out and you can see it in the NAT translation table. You can find the show command after the configuration.

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW ntp

no ip ips deny-action ips-interface

!

!

interface Ethernet0

description DMZ

ip address 10.1.1.1 255.255.255.0

ip access-group 103 in

ip nat inside

ip inspect SDM_LOW out

ip virtual-reassembly

full-duplex

!

interface Ethernet1

description WAN$FW_OUTSIDE$

ip address dhcp

ip access-group 101 in

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

half-duplex

!

interface FastEthernet0

description Trusted

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip inspect SDM_LOW out

ip virtual-reassembly

speed auto

!

ip classless

!

ip nat inside source list 1 interface Ethernet1 overload

!

access-list 1 remark NAT ACL

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 permit ip any any

access-list 103 permit ip any any

router(config-if)#do sh ip nat tra

Pro Inside global Inside local Outside local Outside global

icmp 208.xx.xx.xx:512 10.1.1.2:512 4.2.2.2:512 4.2.2.2:512

icmp 208.xx.xx.xx:1024 192.168.1.19:1024 205.171.3.65:1024 205.171.3.65:1024

Anyone have a suggestion on why I cannot access the web(HTTP) on the DMZ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Robert Rowland III Sun, 09/07/2008 - 13:48

It does not look like you have a nat statement allowing access from the Internet to port 80 getting translated to a DMZ host.

You do allow DMZ to the Internet and you do allow Trusted to the Internet and those both do so via port address translation "PAT".

You need a static DMZ to Internet port 80 mapping.

Here is a Cisco document demonstrating it.http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml

You only have to modify the

"ip nat dmz source static tcp 192.168.0.5 80 Ethernet1 80"

line to change the 192.168.0.5 addresses to what is appropriate for your network.

pcexhaust Sun, 09/07/2008 - 15:45

rrowlandkumc:

Static NAT port mapping is my next step. My current step is figuring out why hosts in the trusted LAN have web access to the internet while ones in the the DMZ don't.

As in, I'm on a workstation under each Ethernet interface trying to go to cnn.com.

Robert Rowland III Sun, 09/07/2008 - 16:21

If you put an Internet IP [ http://www.ibm.com == 129.42.56.216 ] into your browser does that work ? ( ruling out dns related issue first which could be routing ).

And also perhaps do a traceroute 129.... to see what happens then.

Try to go to Internet and do a "show ip nat trans ..." and you'll see the translations.

Heres a Cisco help page ..

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml

Actions

This Discussion