Cisco Support Community
Community Member

VLANs and Web Servers

Hello. I am having two problems with internal web servers and VLANs.


Here is a description of the existing infrastructure:


Business cable modem with a block of static IPs. These IPs are for example only and are not my current set, just an ourdated set from an old block I was once assigned.


Kerio WAN interface is configured with these IP addresses.




Cisco SG-300 is in L3 mode and has IPs:


The two issues I am having:


1. Server-host on VLAN 1 uses as the router, and its DHCP server is handing out as the router to clients. This is working as expected for both the server and the clients.


Inside the VLAN 1 network I am running several web servers that each has a unique public IP. All servers assigned to the main IP work normally, being reachable from inside the LAN, across VLANs and from the WAN. These servers run on port 80, 443 and 8443.


However the servers that are running on the other IP addresses are not reachable from the WAN, while they are reachable via the LAN and across VLANs.


For example a server on is works as expected, while server on is not reachable from the WAN, while it is reachable via the LAN and across VLANs. This isn't a DNS issue because accessing servers by IP produces the same result.


I have traffic rules:


Name -

Source - any.

Destination - and

Service 8443




This works.


Name -

Source - any.

Destination - and

Service 8443




This does not work.


I am at a loss for how to get these web servers working from the WAN. Any feedback will be appreciated!


2. Now the second issue:


The main server-host on VLAN2 has the IP of


When I used as the router I had WAN access but no access to services across VLANs. When I used as the router the effect was the reverse.


So I created the static route - - - Ethernet LAN. I then set as the router. This premits the server at to access internal and external resources.


However I configured the DHCP service on this server to issue to clients on the VLAN 2 network. With this they can access internal resources across VLANs but not external resources on the WAN. So the server at works properly with as the router, but clients do not.


Similar to the server examples above, there is a Kerio Connect mail server running on this VLAN 2 with IP It is reachable from the LAN & across VLANs, but not the WAN.


I have the traffic rules:


Name - Kerio Mail

Source - Internet Interfaces

Destination - Its Public IP

Services - DNS, HTTP, HTTPS, IMAP, IMAPS, Kerio Connect Web Admin, SMTP, SMTPS.





Name Kerio Mail Out

Source -

Destination - Any

Services - DNS, SMTP, SMTP Message Submission, SMTPS,


MAP - Public IP


Thank you for any suggestions that may or may not solve this!

Community Member

Item 1 - While I'm not sure

Item 1 - While I'm not sure about the Kerio device (probably there is a forum for that tho).  I would suggest, verify all the pieces.

-Are the default gateways on the servers pointing to the Kerio device?

-Do the IP addresses work inbound if you move the wan port of the kerio to the address you are trying to connect?  If not check the routing and subnetting from your cable provider.

-verify with Kerio support that your one to one nat statements are correct.

- I have seen arp entries get stuck in on to one nat configs.  You might reboot the kerio and the upstream cable router, to clear their arp tables.

Just a quick Glance I see the dns name for this server seems incorrect.  It has the same dns as the other IP. That may just be a typo, but please verify.

Name -   Source - any.   Destination - and



Item2 -

when you are putting a router behind another router (sg300 behind the kerio firewall) there are a few configuration items that are needed to make it work.

Best practice is to have a single router (or VRRP pair)  leading off each subnet.  This prevents asymmetric routing, and session aware firewalls only seeing one side of a session and dropping it.  

The easiest way to do this is to set a separate network segment for the link between the l3 switch and the firewall, that way there are no clients at all connected directly to the firewall segment.

1- The SG300 needs to have a default gateway pointing towards the internet.

2- The clients, servers, nas, appliances, etc need to have a default gateway pointing to the same local router.  (either the Switch if it is doing local routing, or the firewall BUT NOT SOME TO BOTH)

3 - the firewall (kerio) needs to have routes pointing to the networks that are behind the switch.  This will allow the return traffic from the internet to make it back to the clients and servers.

4,5,6 - the firewall may also need:  Nat statements (Cisco ASA), Multiple subnets added to the local trusted network zone (rv0xx and ISA ), access rules allowing traffic outbound, and possibly other configuration items.


hope this helps you,



CreatePlease to create content