Theme

Welcome · log in · join	food

	All Forums		Hot Topics		Gallery

Search similar:

Forums → Equipment Support → Hardware By Brand →

Cisco → [Config] Cisco 806 IP Routing Help

uniqs
1993

« [Other] CIsco 806 Public IP Routing Issue • [HELP] Cisco 2100 WLC & AP1131 LAP »

synergizer join:2002-09-07 Ann Arbor, MI	synergizer Member 2009-Apr-27 8:07 am [Config] Cisco 806 IP Routing Help I have a customer with the following setup: (WAN) 208.../28 (LAN) 192.168.1.1/30 DHCP Range should be 192.168.1.100 & above Static routes for 64... addresses to point to 192.168.1.2 I can’t ping the public ips from inside the network but you can ping them from the outside. They have to be able to see it from the inside because they have an application using the public one, is there any way to set that up? -------------------------------------------------------------------------------- ---------- Building configuration... Current configuration : 1940 bytes ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! ! enable secret 5 $1$T.vS$3yAsWk/71Txjm.9gljYCI. enable password *********** ! ip subnet-zero ip dhcp excluded-address 192.168.1.2 192.168.1.99 ! ip dhcp pool named network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 209...* ! vpdn enable ! ! ! ! ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside hold-queue 100 out ! interface Ethernet1 ip address 208...* 255.255.255.240 ip nat outside arp timeout 300 ! ip nat inside source list 101 interface Ethernet1 overload ip nat inside source static 192.168.1.2 64...* ip classless ip route 0.0.0.0 0.0.0.0 208.75.. ip http server ! ! access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 192.0.0.0 0.255.255.255 any access-list 101 permit ip 64.0.0.0 0.255.255.255 any ! line con 0 stopbits 1 line vty 0 4 exec-timeout 120 0 password ****** login local length 0 ! scheduler max-task-time 5000 end
	actions · 2009-Apr-27 8:07 am ·
aryoba MVM join:2002-08-22	aryoba MVM 2009-Apr-27 12:01 pm said by synergizer: I can't ping the public ips from inside the network but you can ping them from the outside. They have to be able to see it from the inside because they have an application using the public one, is there any way to set that up? Why does your customer monitor the public IP address instead of the private IP one?
	actions · 2009-Apr-27 12:01 pm ·
synergizer join:2002-09-07 Ann Arbor, MI	synergizer Member 2009-Apr-27 12:06 pm They have an application that uses the public ip and it works from outside the office as well as inside the office so it doesn't need to be changed everytime they leave.
	actions · 2009-Apr-27 12:06 pm ·
aryoba MVM join:2002-08-22	aryoba MVM 2009-Apr-27 12:16 pm Why does your customer need to monitor from both outside and inside? Typically system monitoring from just outside or from just inside is sufficient.
	actions · 2009-Apr-27 12:16 pm ·
synergizer join:2002-09-07 Ann Arbor, MI	synergizer Member 2009-Apr-27 4:03 pm It's not monitoring they are using an application that accesses the public ip address.
	actions · 2009-Apr-27 4:03 pm ·
aryoba MVM join:2002-08-22 1 edit	aryoba MVM 2009-Apr-27 4:18 pm What your customer can do is to access the server by DNS A record name, which is pretty much the "standard way" of doing stuff like this. Following is illustration. Let's say the server has name of yourcompany.com. There should be a local DNS server inside the network that resolve the yourcompany.com to the server Private IP address. Any machines inside the network should use this local DNS server to DNS name resolving. When they are away (meaning accessing the server from outside the network via the Internet), the ISP DNS should resolve the yourcompany.com to the server Public IP address.
	actions · 2009-Apr-27 4:18 pm ·
aryoba 1 edit	aryoba to synergizer MVM 2009-Apr-27 4:39 pm to synergizer I just notice that there are multiple Public IP subnets. One is the WAN subnet (208...* /28) and another is the NAT/PAT-ed subnet (64...). With this in mind, your customer can also do the following. Setup the network to be like the following Internet -- 806 --- Firewall/Router/Layer-3 switch with DMZ --- Inside (192.168.1.0/24) \| \| DMZ * Move the 64...* to be at DMZ * Move the server to be at DMZ as well * Keep the 208.../28 at the 806 just like now The server should directly have 64...* assigned without using private IP subnet * No NAT between this DMZ and the Internet * No NAT between this DMZ and the Inside network * There is NAT between the Inside network and the Internet, using the 208...* IP address just like now * There should be static route on the 806 router to reach the 64...* via the Firewall/Router/Layer-3 Check out the following FAQ for sample configurations. »Cisco Forum FAQ »Router configuration to run server (with and without port forwarding) »Cisco Forum FAQ »Configure DMZ on routers »Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)
	actions · 2009-Apr-27 4:39 pm ·

Forums → Equipment Support → Hardware By Brand → Cisco	« [Other] CIsco 806 Public IP Routing Issue • [HELP] Cisco 2100 WLC & AP1131 LAP »