dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1738
share rss forum feed

synergizer

join:2002-09-07
Ann Arbor, MI

[Config] Cisco 806 IP Routing Help

I have a customer with the following setup:

(WAN) 208.*.*.*/28

(LAN) 192.168.1.1/30

DHCP Range should be 192.168.1.100 & above

Static routes for

64.*.*.* addresses to point to 192.168.1.2

I can’t ping the public ips from inside the network but you can ping them from the outside. They have to be able to see it from the inside because they have an application using the public one, is there any way to set that up?

--------------------------------------------------------------------------------
----------

Building configuration...

Current configuration : 1940 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

!

enable secret 5 $1$T.vS$3yAsWk/71Txjm.9gljYCI.

enable password ***********

!

ip subnet-zero

ip dhcp excluded-address 192.168.1.2 192.168.1.99

!

ip dhcp pool named

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 209.*.*.*

!

vpdn enable

!

!

!

!

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

hold-queue 100 out

!

interface Ethernet1

ip address 208.*.*.* 255.255.255.240

ip nat outside

arp timeout 300

!

ip nat inside source list 101 interface Ethernet1 overload

ip nat inside source static 192.168.1.2 64.*.*.*

ip classless

ip route 0.0.0.0 0.0.0.0 208.75.*.*

ip http server

!

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 192.0.0.0 0.255.255.255 any

access-list 101 permit ip 64.0.0.0 0.255.255.255 any

!

line con 0

stopbits 1

line vty 0 4

exec-timeout 120 0

password ******

login local

length 0

!

scheduler max-task-time 5000

end

aryoba
Premium,MVM
join:2002-08-22
kudos:4
said by synergizer:

I can't ping the public ips from inside the network but you can ping them from the outside. They have to be able to see it from the inside because they have an application using the public one, is there any way to set that up?
Why does your customer monitor the public IP address instead of the private IP one?

synergizer

join:2002-09-07
Ann Arbor, MI
They have an application that uses the public ip and it works from outside the office as well as inside the office so it doesn't need to be changed everytime they leave.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Why does your customer need to monitor from both outside and inside? Typically system monitoring from just outside or from just inside is sufficient.

synergizer

join:2002-09-07
Ann Arbor, MI
It's not monitoring they are using an application that accesses the public ip address.

aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit
What your customer can do is to access the server by DNS A record name, which is pretty much the "standard way" of doing stuff like this. Following is illustration.

Let's say the server has name of yourcompany.com. There should be a local DNS server inside the network that resolve the yourcompany.com to the server Private IP address. Any machines inside the network should use this local DNS server to DNS name resolving.

When they are away (meaning accessing the server from outside the network via the Internet), the ISP DNS should resolve the yourcompany.com to the server Public IP address.

aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit
reply to synergizer
I just notice that there are multiple Public IP subnets. One is the WAN subnet (208.*.*.* /28) and another is the NAT/PAT-ed subnet (64.*.*.*). With this in mind, your customer can also do the following.

* Setup the network to be like the following

Internet -- 806 --- Firewall/Router/Layer-3 switch with DMZ --- Inside (192.168.1.0/24)
|
|
DMZ

* Move the 64.*.*.* to be at DMZ
* Move the server to be at DMZ as well
* Keep the 208.*.*.*/28 at the 806 just like now
* The server should directly have 64.*.*.* assigned without using private IP subnet
* No NAT between this DMZ and the Internet
* No NAT between this DMZ and the Inside network
* There is NAT between the Inside network and the Internet, using the 208.*.*.* IP address just like now
* There should be static route on the 806 router to reach the 64.*.*.* via the Firewall/Router/Layer-3

Check out the following FAQ for sample configurations.

»Cisco Forum FAQ »Router configuration to run server (with and without port forwarding)
»Cisco Forum FAQ »Configure DMZ on routers
»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)