Im new to this forum, and It seems this is the place to go with your cisco questions. I reacently bought a Cisco 1841 and after some configuring I got it running the way I wanted, or at least I thought so...
I bought a IP range 195.xx.yy.16/29 from Versizon where .16 is the network and my cisco is on .17 my web is on .20 and so on.
Verizon told me that they had forwarded the range to my router from their router and, to connect, I would have to make a route to their router first. This was new to me, and this was where the problems began.
Verizons router was on 62.xx.yy.72/30 whitch I later figured out made their router be on .73 and my router should then be on .74.
My internal network was 10.10.10.0/24
All this was very puzzeling to me, but after a couple of hours, I got it working. The cisco had 2 interfaces, so I put my internal switch on 0/0 and the internet on 0/1. The settings I had then was:
interface 0/0: 10.10.10.1/24
interface 0/1: 62.xx.yy.74/30
then I made a Loopback, don't ask me why, but it worked.
Loopback 3: 195.xx.yy.17/29 <- This would me my routers public IP.
Then I figured out that I needed some kind of routing, so I added one like this:
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 62.xx.yy.73 permanent (this is from my config)
Everything actually started working and I then NATed som of the public adresses to differient internal adresses, witch also worked. Amazing
ip nat inside source static 10.10.10.50 195.xx.yy.18 ip nat inside source static tcp 10.10.10.111 22 195.xx.yy.20 22 extendable ip nat inside source static tcp 10.10.10.111 80 195.xx.yy.20 80 extendable
Everything was fine until today, when I realized that even if everything worked fine from the outside, I could not access my own webpages from the computer I was on. For example:
This is when I realized something was wrong, and after hours of googling this, not knowing where to start, I gave up and tried the Cisco Support Forum.
If anyone could please help me with this, or at least point me in the right direction. Im willing to try a lot of stuff, but my datacenter is a 4 hour drive away, so if I crash the router, there will be some driving to do for the reboot
This is my current config, edited for the web of course:
interface Loopback3 ip address 195.xx.yy.17 255.255.255.248 ip access-group Any in ip access-group Any out no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow ! interface FastEthernet0/0 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$ ip address 10.10.10.1 255.255.255.0 ip access-group Any in ip access-group Any out no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface FastEthernet0/1 description $FW_OUTSIDE$$ETH-WAN$ ip address 62.xx.yy.74 255.255.255.252 ip access-group Any in ip access-group Any out ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 62.xx.yy.73 permanent ! ! ip http server ip http access-class 23 ip http authentication local ip http timeout-policy idle 60 life 86400 requests 10000 ip nat pool Extern1 195.xx.yy.16 195.xx.yy.22 netmask 255.255.255.248 ip nat inside source list 5 interface FastEthernet0/1 overload ip nat inside source static 10.10.10.50 195.xx.yy.18 ip nat inside source static tcp 10.10.10.111 22 195.xx.yy.20 22 extendable ip nat inside source static tcp 10.10.10.111 80 195.xx.yy.20 80 extendable ip nat inside source static tcp 10.10.10.111 8090 195.xx.yy.20 8090 extendable !
changed it, but then had to NAT the router to 195.xx.yy.17 to be able to connect to the router external IP.
What you say sounds reanonable but it doesn't solve the problem alone. Im thinking of changing the 0/1 interface to 195.xx.yy.17/29, so that the only thing that points to my ISP router, is the ip route 0.0.0.0 > 62.xx.yy.73, but if this fails I will have to wait until tomorrow to reboot the router.
Think I'll wait for some more anwsers first. But I keep your NAT settings for now, because they seem logical
If you are attempting to access an internal resource by URL and the name server is providing the public address to internal hosts I think you may have a DNS issue.
Are your DNS servers internal or external? If they are internal simply create an internal DNS entry for your web resource that will be provided to internal hosts. If your DNS servers are external the solution gets more annoying and less scalable.
I don't think it's a DNS problem. I use external DNS servers hosted by my domain provider. But the following:
$curl 195.xx.yy.20 curl: (7) couldn't connect to host
doesn't work as well, and as far as I know this doesn't involve DNS?! Using wget to do the same, it says that the connection is refused by the host.
Just to be clear, all this works just fine from machines outside this network.
The issue is that you are trying to connect to the web servers as though you were on the outside but you are on the inside. So the static NAT statements won't work because you are not hitting the outside interface first. It is, as Christopher mentioned, tied in with DNS as well.
Do you have an internal DNS ? If so the simplest solution is to create internal DNS entries for the servers pointing to their real IP addresses. That way you do not need to worry about the NAT. This is a very common solution ie. internal clients resolve the URLs to internal addresses and external internet users resolve the URLs to their external addresses.
Is there any reason you need internal clients to be able to access these URL by their public IP addresses ?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...