Solved: Unable to access server on a different VLAN and unable to translate my private IP add into public

dariely_ann · ‎11-22-2017

Hello everyone. Could someone please help me figure out why I can't access my web servers on a different VLAN. I have built a new network, but I'm still in the learning process. I can ping all my devices on the same and different VLANs (private addresses), but if I type in the browser the web server's private IP address (which is on a different VLAN than me) I cannot connect, it times out. If I am on the same VLAN as the server I have no problems connecting. I also, have another issue with NAT. I currently have 7 servers, each one is going to have a one-to-one NAT. We need to be able to reach each server from the outside, and I can only do it on one of the web servers. The translation between the public address and the private address is not happening. Again, if I am on the same VLAN as the server, I can access the server using its private address and the web server's name, but not with the public address. Also, I can ping all the public addresses, and all the private addresses.

Additional information:

* We have a FirePower 8120 Firewall acting transparent between the ISP and the Cisco Router 2911

* Router is doing NAT and DHCP

* We have another firewall 10.1.10.19, for the web servers. This is the only device working properly. I'm able to access its private and public IP address from any VLAN.

* We have a DNS server 10.1.10.28, for the web servers

* We have a contractor who works the servers, I only do the router/switch part.

* Those aren't the real public IP addresses.

Please look at my configuration and tell me what I am doing wrong. Any help is appreciated.

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_Academic_Network
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.155-3.M5.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 'omitted'
!
no aaa new-model
ethernet lmi ce
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.1.100.1
ip dhcp excluded-address 10.1.40.1
ip dhcp excluded-address 10.1.20.1 10.1.20.20
ip dhcp excluded-address 10.1.10.1
ip dhcp excluded-address 10.1.10.254
ip dhcp excluded-address 10.1.50.1
ip dhcp excluded-address 10.1.70.1
ip dhcp excluded-address 10.1.80.1
ip dhcp excluded-address 10.1.90.1
ip dhcp excluded-address 10.1.110.1
ip dhcp excluded-address 10.1.10.2 10.1.10.25
ip dhcp excluded-address 10.1.10.65
ip dhcp excluded-address 10.1.10.129
ip dhcp excluded-address 10.1.10.62
ip dhcp excluded-address 10.1.10.2
ip dhcp excluded-address 10.1.10.1 10.1.10.5
ip dhcp excluded-address 10.1.30.1
ip dhcp excluded-address 10.1.60.1
!
ip dhcp pool Campus
network 10.1.0.0 255.255.240.0
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool 400_Area
network 10.1.40.0 255.255.255.0
default-router 10.1.40.1
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool WAP
network 10.1.20.0 255.255.255.0
default-router 10.1.20.1
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool 700_Area
network 10.1.70.0 255.255.255.0
default-router 10.1.70.1
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool 800_Area
network 10.1.80.0 255.255.255.0
default-router 10.1.80.1
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool 900_Area
network 10.1.90.0 255.255.255.0
default-router 10.1.90.1
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool 1000_Area
network 10.1.100.0 255.255.255.0
default-router 10.1.100.1
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool 1100_Area
network 10.1.110.0 255.255.255.0
default-router 10.1.110.1
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool Multimedia
network 10.1.50.0 255.255.255.0
default-router 10.1.50.1
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool Management_1
network 10.1.10.0 255.255.255.192 <--------- Web servers, default-router is the firewall
default-router 10.1.10.19
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool Management_2
network 10.1.10.64 255.255.255.192
default-router 10.1.10.65
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool Management_3
network 10.1.10.128 255.255.255.192
default-router 10.1.10.129
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!
ip dhcp pool 300_Area
network 10.1.30.0 255.255.255.0
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
default-router 10.1.30.1
lease 21
!
ip dhcp pool Network_swx
network 10.1.60.0 255.255.255.224
domain-name campus.net
default-router 10.1.60.1
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
!
!
!
no ip bootp server
no ip domain lookup
ip domain name campus.net
ip name-server 75.75.75.75
ip name-server 75.75.76.76
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
cts logging verbose
!
license udi pid CISCO2911/K9 sn FJC2120A091
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Uplink to ISP
ip address 30.234.100.101 255.255.255.252
no ip redirects
ip nat enable
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
!
interface GigabitEthernet0/1
description Uplink_to_Switch
no ip address
no ip redirects
ip nat enable
ip virtual-reassembly in
duplex full
speed 1000
!
interface GigabitEthernet0/1.1
description campus
encapsulation dot1Q 1 native
!
interface GigabitEthernet0/1.10
description Management VLAN 10 <---------- Host the web servers
encapsulation dot1Q 10
ip address 10.1.10.1 255.255.255.192
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.11
description Management VLAN 10
encapsulation dot1Q 11
ip address 10.1.10.65 255.255.255.192
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.12
description Management VLAN 10
encapsulation dot1Q 12
ip address 10.1.10.129 255.255.255.192
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
description WAP_VLAN_20
encapsulation dot1Q 20
ip address 10.1.20.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.30
description 300_Area
encapsulation dot1Q 30
ip address 10.1.30.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.40
description 400_Area
encapsulation dot1Q 40
ip address 10.1.40.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.50
description 500_Area
encapsulation dot1Q 50
ip address 10.1.50.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.60
description Network_swx
encapsulation dot1Q 60
ip address 10.1.60.1 255.255.255.224
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.70
description 700_Area
encapsulation dot1Q 70
ip address 10.1.70.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.80
description 800_Area
encapsulation dot1Q 80
ip address 10.1.80.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.90
description 900_Area
encapsulation dot1Q 90
ip address 10.1.90.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.100
description 1000_Area
encapsulation dot1Q 100
ip address 10.1.100.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.110
description 1100_Area
encapsulation dot1Q 110
ip address 10.1.110.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
router ospf 1
network 10.1.10.0 0.0.0.63 area 0
network 10.1.10.64 0.0.0.63 area 0
network 10.1.10.128 0.0.0.63 area 0
network 10.1.20.0 0.0.0.255 area 0
network 10.1.50.0 0.0.0.255 area 0
network 10.1.60.0 0.0.0.31 area 0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list 10 interface GigabitEthernet0/0 overload
ip nat source list NAT interface GigabitEthernet0/0 overload
ip nat source static 10.1.10.20 30.234.100.130 <--------------------- Only server accessible using its public address
ip nat source static tcp 10.1.10.27 80 30.234.100.136 80 extendable
ip nat source static tcp 10.1.10.27 443 30.234.100.136 443 extendable
ip nat source static 10.1.10.27 30.234.100.136
ip nat source static tcp 10.1.10.52 80 30.234.100.138 80 extendable
ip nat source static tcp 10.1.10.52 443 30.234.100.138 443 extendable
ip nat source static 10.1.10.52 30.234.100.138
ip nat source static tcp 10.1.10.35 80 30.234.100.139 80 extendable
ip nat source static tcp 10.1.10.35 443 30.234.100.139 443 extendable
ip nat source static 10.1.10.35 30.234.100.139
ip nat source static tcp 10.1.10.38 80 30.234.100.140 80 extendable
ip nat source static tcp 10.1.10.38 443 30.234.100.140 443 extendable
ip nat source static 10.1.10.38 30.234.100.140
ip nat source static tcp 10.1.10.58 80 30.234.100.142 80 extendable
ip nat source static tcp 10.1.10.58 443 30.234.100.142 443 extendable
ip nat source static 10.1.10.58 30.234.100.142
ip nat source static tcp 10.1.10.30 80 30.234.100.143 80 extendable
ip nat source static tcp 10.1.10.30 443 30.234.100.143 443 extendable
ip nat source static 10.1.10.30 30.234.100.143
ip route 0.0.0.0 0.0.0.0 30.234.100.145
!
ip access-list extended NAT
permit ip 10.1.0.0 0.0.15.255 any
!
!
!
access-list 10 permit 10.1.10.0 0.0.0.255
access-list 10 permit 10.1.30.0 0.0.0.255
access-list 10 permit 10.1.40.0 0.0.0.255
access-list 10 permit 10.1.20.0 0.0.0.255
access-list 10 permit 10.1.50.0 0.0.0.255
access-list 10 permit 10.1.70.0 0.0.0.255
access-list 10 permit 10.1.80.0 0.0.0.255
access-list 10 permit 10.1.90.0 0.0.0.255
access-list 10 permit 10.1.100.0 0.0.0.255
access-list 10 permit 10.1.110.0 0.0.0.255
access-list 10 permit 10.1.10.0 0.0.0.63
access-list 10 permit 10.1.10.64 0.0.0.63
access-list 10 permit 10.1.10.128 0.0.0.63
access-list 10 permit 10.1.60.0 0.0.0.31
!
control-plane
!
!
credentials
!
!
!
end

Georg Pauwen · ‎11-22-2017

Hello,

at first glance, the below seems to be a misconfiguration, can you check if that is right ?

There is no ip dhcp excluded-address for the default router. Also, the address, 10.1.10.19, is not configured on any interface.

ip dhcp pool Management_1
network 10.1.10.0 255.255.255.192 <--------- Web servers, default-router is the firewall
default-router 10.1.10.19
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!

View solution in original post

Georg Pauwen · ‎11-22-2017

Hello,

at first glance, the below seems to be a misconfiguration, can you check if that is right ?

There is no ip dhcp excluded-address for the default router. Also, the address, 10.1.10.19, is not configured on any interface.

ip dhcp pool Management_1
network 10.1.10.0 255.255.255.192 <--------- Web servers, default-router is the firewall
default-router 10.1.10.19
domain-name campus.net
dns-server 75.75.75.75 75.75.76.76
netbios-name-server 75.75.75.75 75.75.76.76
lease 21
!

dariely_ann · ‎11-28-2017

Thank you so much for catching my mistake. As soon as I fixed it, I was able to log in to the servers. Thanks again for taking the time to look at my issue.