Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
0
Helpful
4
Replies

Problem whit access local web-server and local FTP-server from local site.

skjoldsoee
Level 1
Level 1

‎06-26-2003 11:29 AM - edited ‎03-02-2019 08:27 AM

I have a Cisco 827 router, I have use the CRWS to set up the router, and make som change.I use 2 ethernet interface 10.10.10.1 and 192.168.0.1 as secondary, the acces to the Internet from both ip network is fine, and the access from a network outsite my is ok, but when i try to access from 192.168.0.3 to the web-server on 10.10.10.6 I get the CRWS login (ok then I disable the ip http server in the IOS ) and then try again, this time I get the Microsoft search page, and can newer get access to my web-server.

If i try to access through the ip 10.10.10.6 then I get the web page, the same problem I have whit the FTP-server, only acces from the inside through the ip 192.168.0.2.

Is it normal that a user on the inside on a net can't access ther own web / ftp server through the ISP ip address, IF NOT WHAT TO DO ?

/Dennis

This is my config af the router.

Current configuration:

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname XXXXXXX

!

no logging buffered

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX

!

usernameXXXXXXXXXXXXXXXXXXXXXXXXX

!

!

!

ip subnet-zero

ip name-server 212.242.40.3

ip name-server 212.242.40.51

ip dhcp excluded-address 192.168.0.1

ip dhcp excluded-address 192.168.0.6

ip dhcp excluded-address 192.168.0.2

ip dhcp excluded-address 10.10.10.6

!

ip dhcp pool CLIENT

import all

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

lease 0 2

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

!

!

!

!

!

interface Ethernet0

description CRWS Generated text. Please do not delete this:192.168.000.1-255.25

5.255.0

ip address 192.168.0.1 255.255.255.0 secondary

ip address 10.10.10.1 255.255.255.0

ip nat inside

no ip mroute-cache

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip nat outside

ip inspect myfw out

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXXXXXXXXX

ppp chap password XXXXXXXXXXXXXXXXXXX

ppp pap sent-username XXXXXXXXXXXX password XXXXXXXXXXXXXXXX

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.6 80 interface Dialer1 80

ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 21

ip nat inside source static tcp 192.168.0.6 25 interface Dialer1 25

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

access-list 23 permit 192.168.0.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 111 permit tcp any any eq smtp

access-list 111 permit tcp any any eq ftp

access-list 111 permit tcp any any eq www

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 120 0

transport input none

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
4 Replies 4

mark-obrien
Level 4
Level 4

‎06-26-2003 06:01 PM

Dennis,

If I understand your problem, internal users trying to access your internal web and FTP servers fail unless they use the internal IP addresses of those servers. Is this correct?

If so, this is normal. Your users are connecting to your DNS server and resolving the URLs to the external IP address. In your case, that address is the address of the router, and the router thinks that the destination for your packets is itself. This is why your internal users were accessing the CRWS until you disabled it. This doesn't happen to external users because they come in through inderface Dialer1, which is configured as NAT outside. The router looks up the address/port combination in the NAT translation table and translates the address to the appropriate internal address.

The way to correct it is to set up a separate DNS server for your internal users. This new DNS server will point your URLs to the internal IP addresses for your servers. I'm not sure about the 800 series, but some routers can be configured as DNS servers. Or, you can implement DNS on either your web server or your FTP server as long as these are not acting as the DNS server for your domain on the outside (from your configuration it doesn't look as though they are).

HTH

Mark

0 Helpful

skjoldsoee
Level 1
Level 1
In response to mark-obrien

‎06-27-2003 12:21 AM

Thanks for your respons.

Yes, you have understood my problem, I just don't understand why my old Cisco 677 could do the routing form inside to out and indside again.

Anyway I then setup a DNS server for the internal users. but still I can not test the connection from the outside to the web and FTP.

/Dennis

0 Helpful

mark-obrien
Level 4
Level 4
In response to skjoldsoee

‎06-27-2003 04:45 AM

The 800 series routers are IOS-based, and IOS routers do not perform NAT unless a packet enters a NAT-inside interface and leaves out a NAT-outside interface, or vice versa. The 677 is not IOS-based, and apparently it always puts packets through the NAT process when IP NAT is enabled.

Mark

0 Helpful

skjoldsoee
Level 1
Level 1
In response to mark-obrien

‎06-27-2003 10:28 AM

Hi Mark.

Thanks for the help, now I understand why, I have setup a DNS for the web and now I can access through the name and not only the ip.

/Dennis

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents