I have a situation where I am trying to route traffic through one Internet link (C2600 router connected to Broadwing Communications) to a Web Server on a DMZ located on a redundant Internet link (C1600 router connected to Cable and Wireless - C+W). The C2600 router is running an ACL, NAT, and CBAC.
If I set my default GW internally to point at the C2600 I can access the Internet to retreive Web pages, but I cannot access my own Web server located in the DMZ on the C1600. From my local network, I can't even ping anything associated with the C+W network (the C+W name server or my Web server). If I telnet to my C2600 I can ping anywhere internally or externally.
This doesn't make sense to me since my internal client uses the C2600 as its default gateway and the C2600 has a default route pointing at the service providers GW router. I can see the traffic hitting the C2600 router (CBAC creates temporary ACL entries and the ACL hit counters increment) when I try to URL or ping my own Web server, but I get no response. Ping and trace appear to function properly from the C2600 router to the C+W network and the DMZ Web server.
If I set my default GW to point at the C1600 - where the DMZ is located - I can get to the Web server in the DMZ since it is locally attached to that router.
I'm not sure if the problem has something to do with the redundant Internet connections, CBAC, NAT, or my ACL; I'm baffled. Any assistance would be greatly appreciated.
Could it be that your C2600 does not have route for your DMZ network? Either on your hosts you could set a route to your DMZ network that points to your 1600 (messy). Or possibly you could let your 2600 and 1600 exchange routing information, including your DMZ network so that traffic destined to your 2600 would still get over to your 1600 attached DMZ network.
Thank you for your input. I had considered putting a static route in the C2600 pointing at the DMZ router. But my gut tells me that the routing should work as is: the 2600 forwards traffic for the DMZ - or any destination - from the internal network out to the Internet, which then finds its way to the destination address. The internal hosts can go through the 2600 to anywhere on the Internet except to their own External Web server. And externally, I can access the Web server (from a dialup or cable network connection). Also, when I'm logged into the 2600 router I can ping and trace any route.
I'm wondering if it has something to do with NAT, CBAC, or the ACL. Below is an excerpt from the running config. Any input would be appreciated . . .
ip inspect name myfw tcp
ip inspect name myfw udp
ip audit notify log
ip audit po max-events 100
ip address 192.168.0.12 255.255.255.0
ip nat inside
ip inspect myfw in
ip address 22.214.171.124 255.255.255.252
ip access-group 101 in
no ip unreachables
ip nat outside
ip inspect myfw in
encapsulation frame-relay IETF
no ip mroute-cache
service-module t1 timeslots 1-24
frame-relay interface-dlci 50
frame-relay lmi-type ansi
ip address 126.96.36.199 255.255.255.192
no cdp enable
ip nat inside source list 1 interface Serial0/0 overload
Can you ensure that the 2600 has a route (learned through RIp) for the DMZ pointing (assuming back out E0/0 to the 1600). If you do have a route then I was recommend "debup ip nat" when your trying to access this network and see if you get a failed translation.
Here is a link on NAT that I hope help you out as well
You also, if you see the translation problem, might change your access-list that does your NAT'ing to not nat things going to the DMZ network. This should only be done if you see that NAT is your issue.
Thanks again, Don. One of the first I did when I approached this problem was to look for a route to the DMZ router on the C2600. The C2600 doesn't appear to know about the DMZ, but I had assumed that it would route the DMZ traffic out to the Internet through its default router and back to the DMZ. The 2600 is running RIP, but I can't be sure about the C1600 (DMZ router).
I had considered placing a static route on the 2600 to point at the DMZ, but I wasn't fond of this approach. I suppose I can either do that, or gain access to the 1600 router and turn on RIP so it will exchange routing info with the 2600. Then I can create an ACL to avoid NAT when accessing the DMZ from the internal network.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...