[Config] Cisco 806 IP Routing Help
I have a customer with the following setup:
DHCP Range should be 192.168.1.100 & above
Static routes for
64.*.*.* addresses to point to 192.168.1.2
I cant ping the public ips from inside the network but you can ping them from the outside. They have to be able to see it from the inside because they have an application using the public one, is there any way to set that up?
Current configuration : 1940 bytes
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
enable secret 5 $1$T.vS$3yAsWk/71Txjm.9gljYCI.
enable password ***********
ip dhcp excluded-address 192.168.1.2 192.168.1.99
ip dhcp pool named
network 192.168.1.0 255.255.255.0
ip address 192.168.1.1 255.255.255.0
ip nat inside
hold-queue 100 out
ip address 208.*.*.* 255.255.255.240
ip nat outside
arp timeout 300
ip nat inside source list 101 interface Ethernet1 overload
ip nat inside source static 192.168.1.2 64.*.*.*
ip route 0.0.0.0 0.0.0.0 208.75.*.*
ip http server
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.0.0.0 0.255.255.255 any
access-list 101 permit ip 22.214.171.124 0.255.255.255 any
line con 0
line vty 0 4
exec-timeout 120 0
scheduler max-task-time 5000
said by synergizer:Why does your customer monitor the public IP address instead of the private IP one?
I can't ping the public ips from inside the network but you can ping them from the outside. They have to be able to see it from the inside because they have an application using the public one, is there any way to set that up?
They have an application that uses the public ip and it works from outside the office as well as inside the office so it doesn't need to be changed everytime they leave.
Why does your customer need to monitor from both outside and inside? Typically system monitoring from just outside or from just inside is sufficient.
It's not monitoring they are using an application that accesses the public ip address.
What your customer can do is to access the server by DNS A record name, which is pretty much the "standard way" of doing stuff like this. Following is illustration.
Let's say the server has name of yourcompany.com. There should be a local DNS server inside the network that resolve the yourcompany.com to the server Private IP address. Any machines inside the network should use this local DNS server to DNS name resolving.
When they are away (meaning accessing the server from outside the network via the Internet), the ISP DNS should resolve the yourcompany.com to the server Public IP address.
reply to synergizer
I just notice that there are multiple Public IP subnets. One is the WAN subnet (208.*.*.* /28) and another is the NAT/PAT-ed subnet (64.*.*.*). With this in mind, your customer can also do the following.
* Setup the network to be like the following
Internet -- 806 --- Firewall/Router/Layer-3 switch with DMZ --- Inside (192.168.1.0/24)
* Move the 64.*.*.* to be at DMZ
* Move the server to be at DMZ as well
* Keep the 208.*.*.*/28 at the 806 just like now
* The server should directly have 64.*.*.* assigned without using private IP subnet
* No NAT between this DMZ and the Internet
* No NAT between this DMZ and the Inside network
* There is NAT between the Inside network and the Internet, using the 208.*.*.* IP address just like now
* There should be static route on the 806 router to reach the 64.*.*.* via the Firewall/Router/Layer-3
Check out the following FAQ for sample configurations.
»Cisco Forum FAQ »Router configuration to run server (with and without port forwarding)
»Cisco Forum FAQ »Configure DMZ on routers
»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)