cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
784
Views
0
Helpful
10
Replies

Can't access the new web site through the CISCO2811

stevenyang
Level 1
Level 1

Hi, all

We have a CISCO2811 router, and we have added a HWIC-4ESW module into it. We have registered a DNS at the DNS registration (www.test.com 69.64.178.130), we have translated the 80 and 443 ports of 69.64.178.130 to 192.168.10.3(our web site IP address). The web site works good.

We want to add another web site, and this web site is in another internal subnet. We have registered it as the following (www.test2.com 69.64.178.137), and translate 80 and 443 ports of 69.64.178.137 to 80 and 443 ports of 192.168.20.3 (the new web site's IP address). We have configured 69.64.178.137 as the secondary, and configured the PAT (from 69.64.178.137 to 192.168.2.3). Please see the enclosed for the details configuration.

We can access the old web site normally. When we ping the new web site (www.test2.com), we can get the correct address (69.64.178.137), when we access the new web site in IE from the outside of the new web server's subnet, we got the message "The server cannot find or DNS error". When we access the new web site in IE at the new web server, we have connected to the CISCO 2811! What's wrong? How do I configure the CISCO2811, and can access the old and new web site successfully?

Thanks

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

You should remove the secondary address, there is no need for it. You may have to clear your NAT translation before it works [clear ip nat trans *]

interface FastEthernet0/1

no ip address 69.64.178.137 255.255.255.224 secondary

Hope that helps.

stevenyang
Level 1
Level 1

Hi, Collin

You mean I need to remove the secondary IP address (69.64.178.137 255.255.255.224), and reserve the PAT (from 69.64.178.137 to 192.168.2.0/24), right?

Yes, remove the secondary address.

Your PAT statement is fine (ip nat inside source list 1 interface FastEthernet0/1 overload).

Your NAT is OK as well (ip nat inside source static tcp 192.168.20.3 80 69.64.178.137 80 extendable

ip nat inside source static tcp 192.168.20.3 443 69.64.178.137 443 extendable)

stevenyang
Level 1
Level 1

Hi, Collin

I have remoted the secondary item, but I can't access the new web site still:( Did I need to configure others?

thanks

That should do it. Can you post the result of a show ip nat trans when you try and access the new site?

stevenyang
Level 1
Level 1

Hi, Collin

I run the "show ip nat trans" after I accessed the new web site, I got the following output:

tcp 69.64.188.169:80 192.168.2.3:80 --- ---

When I access the old web site (the external IP is 69.64.188.130, the web server's internal IP is 192.168.1.3) successfully I got the following output:

tcp 69.64.188.130:443 192.168.1.3:443 168.9.42.206:33145 168.9.42.206:33145

The 69.64.188.169 is our Firewall gateway IP address, I am not sure why the 192.168.2.3 has been translated to it, but not to the we assigned new external IP address for the new site (69.64.188.136).

Thanks

From the new web server, can you access the outside (ie browse websites OK). I see that VLAN 1 is 192.168.20.0 /24. Do you have a switch module in the router? How do you provide access to that VLAN?

stevenyang
Level 1
Level 1

I can access the Internet from the new web server. And I can access the new web server using the remote desktop (the PAT 69.64.188.136:3389 to the 3389 port of the new web server)

The VLAN1 should be 192.168.2.0/24, not the 192.168.20.0/24.

We have purchased a HWIC-4ESW module and insert into the CISCO 2811 router, and we have connected this module's a interface to the output Firewall and another interface to the switch that connects to the new web server.

Some things are conflicting, can we verify? So VLAN 1 looks like this?

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip nat inside

And your NAT like this?

ip nat inside source static tcp 192.168.2.3 80 69.64.178.137 80 extendable

ip nat inside source static tcp 192.168.2.3 443 69.64.178.137 443 extendable

From the router you can ping 192.168.2.3 correct?

Hi,

If your New Webserver Resides at 192.168.20.0 segment ten remove the command

no access-list 1 permit 192.168.20.0 0.0.0.255

Because this command will NAT you to 69.64.178.130 instead of 69.64.178.137 it may conflict so better to remove this command.

Warm Rgds, Arun

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco