Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
7
Replies

Routing issue between VLAN's.

alpineclubIT
Level 1
Level 1

‎12-05-2011 11:57 AM - edited ‎03-07-2019 03:44 AM

Here is the scenario. I have a public and a private VLAN setup (public 192.168.2.x, private 192.168.1.x) on purpose I don't want people to be able to hop directly between Vlan 2 and Vlan 1 which is fine, BUT the web server for the organization is located on VLAN1, which I want to be able to be accessed from VLAN2. All that happens now, is that the request goes from VLAN2 to the DNS server (external) and then the request come back to the router, and the router pops up the login page only, it doesn't seem to use the NAT entry for the web server.

This seems like it should be something simple, but I can't seem to find an entry or ACL to create to allow this to happen.

The router is an 871.

Thanks in advance.

Jeff.

Labels:
0 Helpful
7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

‎12-05-2011 12:57 PM

Hi,

post your config.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

sleepyshark
Level 1
Level 1

‎12-05-2011 01:09 PM

That's an asymmetrical route, which Cisco is WELL known for specifically not allowing.  Their philosophy is that you need to route between interfaces to keep things kosher, not route to your external side, then back in.  What you're trying to do can be easily fixed by creating an internal DNS server and pointing your www.domainname.com to the internal IP address on VLAN1...

FYI: Most high-end routers/firewalls don't like asymmetrical routes... It's a HUGE pain, but it is best practice not to have them.

Thanks,

Sean Brown (sean@sleepyshark.com)

voice: 212.760.1700 x7001

Wanna learn more about me? Check out my bio

Follow me on LinkedIn

0 Helpful

alpineclubIT
Level 1
Level 1
In response to sleepyshark

‎12-05-2011 02:39 PM

Sean,

I understand what you mean, BUT my DNS server (which I do have a  local one) is on the 192.168.0.x network, which is implied that you cannot cross from 192.168.2.x to 192.168.1.x should I just create an entry for traffic on port 80 to allow access between, but then I don't think DNS will work either, as that uses a different access method .?

Any further assistance of course is greatly appreciated.

Jeff.

0 Helpful

sleepyshark
Level 1
Level 1
In response to alpineclubIT

‎12-05-2011 05:00 PM

Can you either post your config or a diagram of your network... Specifically, I need to know what VLAN's are associated to which subnets and which ways traffic SHOULD go and where it shouldn't go...

0 Helpful

alpineclubIT
Level 1
Level 1
In response to sleepyshark

‎12-05-2011 10:24 PM

Hi Sean,

Attached is config (useless entries removed).

Traffice from VLAN2 should ONLY flow to VLAN 1 for webtraffic on ports 80 and 443.

I have a DNS server at 192.168.0.102, which has entries on the 192.168.0.x subnet, which works fine on that subnet for all computer attached to VLAN1.

Jeff.

---------------------

Using 18897 out of 131072 bytes

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Router

!

boot-start-marker

boot system flash c870-adventerprisek9-mz.123-8.YI3.bin

boot-end-marker

!

logging buffered 51200 debugging

enable secret 5 $1$OC/j$uR69snOYl8cqu4Y5CUUCr0

!

username accadmin privilege 15 secret 5 $1$hMT3$yonH5bVbG0jrycc/PkxKQ0

clock timezone MDT -7

clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00

no aaa new-model

ip subnet-zero

no ip source-route

ip cef

!

!

ip dhcp excluded-address 192.168.0.176 192.168.0.254

ip dhcp excluded-address 192.168.0.1 192.168.0.149

ip dhcp excluded-address 192.168.3.201 192.168.3.254

ip dhcp excluded-address 192.168.3.1 192.168.3.124

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.0.0 255.255.255.0

   default-router 192.168.0.1

   domain-name

   dns-server 192.168.0.102

   lease infinite

!

ip dhcp pool sdm-pool2

   network 192.168.3.0 255.255.255.0

   default-router 192.168.3.1

   dns-server 192.168.0.102

   lease 0 3

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 192.168.3.1 255.255.255.0

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 remark INSIDE_IF=Vlan3

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.3.0 0.0.0.255

access-list 101 remark SDM_ACL Category=1

access-list 101 remark Vlan1-Vlan2

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 log

access-list 101 remark Vlan1-Any

access-list 101 permit ip 192.168.0.0 0.0.0.255 any log

access-list 103 remark SDM_ACL Category=1

access-list 103 permit udp any any eq bootpc

access-list 103 permit udp any any eq bootps

access-list 103 permit tcp any any eq domain

access-list 103 permit udp any any eq domain

access-list 103 remark Vlan2-Vlan1

access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 103 permit ip 192.168.3.0 0.0.0.255 any

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to alpineclubIT

‎12-05-2011 11:59 PM

Hi,

So you want traffice from VLAN2 should only access to VLAN1 for webtraffic on ports 80 and 443.
You can put access-lists accordintly like below...

ip access-li ex Vlan1
permit tcp 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 eq 80
permit tcp 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 eq 443
deny any 192.168.3.0 0.0.0.255


interface Vlan1
ip access-group Vlan1 in

Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

sleepyshark
Level 1
Level 1
In response to alpineclubIT

‎12-06-2011 05:36 AM

Hi Jeff -

If all of your traffic is on VLAN1, the above poster's ACL will allow ONLY 80/443 traffic from VLAN1 -> VLAN2.... From there, simply add an A record to your DNS server 192.168.0.102 for www.sitename.com -> webserver IP on VLAN2 and any user on VLAN1 will resolve www.sitename.com and direct traffic to VLAN2, not asymmetrically routing.

This is the easiet way to accomplish what you want to do without making major modifications to your infrastrucutre.

Thanks,

Sean Brown (sean@sleepyshark.com)

voice: 212.760.1700 x7001

Wanna learn more about me? Check out my bio

Follow me on LinkedIn

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card