Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 1721 Router Help

Reply
Thread Tools

Cisco 1721 Router Help

 
 
Larry
Guest
Posts: n/a
 
      08-31-2004
We're transitioning from a consumer router to a Cisco 1721 with two wic
1-ethernet modules each connected to a DSL line (to load balance). This will
be our connection to the web for a dozen computers, 2 web-DNS servers, and a
mail-SQL server.



We have entered the appropriate NAT translations for the servers. The
problem is we cannot access our web sites (hosted on our servers) by their
Public domain name on any computer from 'inside' our own local network
(private). These same hosted web sites can be accessed fine publicly from
networks on the 'outside', just not from within our LAN from their public
domain. Did we miss something?



Here are the details of our setup:

We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(T1 and the Cisco
SDM web management software Version 1.2 with 128 mb of Total Memory and 32
mb of Flash Memory.



Here is our current Running-config:







Building configuration...







Current configuration : 3056 bytes



!



version 12.3



no service pad



service tcp-keepalives-in



service tcp-keepalives-out



service timestamps debug datetime msec localtime show-timezone



service timestamps log datetime msec localtime show-timezone



service password-encryption



service sequence-numbers



!



hostname xxxxxxx



!



boot-start-marker



boot-end-marker



!



security authentication failure rate 3 log



security passwords min-length 6



logging buffered 51200 debugging



logging console critical



enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/



!



username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/



clock timezone PCTime -8



clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00



mmi polling-interval 60



no mmi auto-configure



no mmi pvc



mmi snmp-timeout 180



no aaa new-model



ip subnet-zero



no ip source-route



ip cef



!



!



ip tcp synwait-time 10



ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99



!



ip dhcp pool sdm-pool1



import all



network 192.xxx.x.0 255.255.255.0



dns-server 66.114.xxx.xxx 66.114.xxx.xxx



default-router 192.xxx.x.1



!



!



ip ips po max-events 100



no ip bootp server



ip domain name xxxxxxxx.com



ip name-server 207.115.xx.x



ip name-server 207.115.xx.x



ip ssh time-out 60



ip ssh authentication-retries 2



no ftp-server write-enable



!



!



!



!



!



!



!



!



interface Ethernet0



description $FW_OUTSIDE$$ETH-WAN$



ip address 66.114.xxx.xxx 255.255.255.0



no ip redirects



no ip unreachables



no ip proxy-arp



ip nat outside



ip virtual-reassembly



ip route-cache flow



half-duplex



no cdp enable



!



interface Ethernet1



no ip address



no ip redirects



no ip unreachables



no ip proxy-arp



ip route-cache flow



shutdown



half-duplex



no cdp enable



!



interface FastEthernet0



description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$



ip address 192.xxx.x.1 255.255.255.0



no ip redirects



no ip unreachables



no ip proxy-arp



ip nat inside



ip virtual-reassembly



ip route-cache flow



speed auto



no cdp enable



!



ip classless



ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx



ip http server



ip http authentication local



ip http secure-server



ip nat inside source list 1 interface Ethernet0 overload



ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20 extendable



ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21 extendable



ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable



ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable



ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80 extendable



!



!



logging trap debugging



access-list 1 remark INSIDE_IF=FastEthernet0



access-list 1 remark SDM_ACL Category=2



access-list 1 permit 192.xxx.x.0 0.0.0.255



no cdp run



!



control-plane



!



banner login ^CAuthorized access only!



Disconnect IMMEDIATELY if you are not an authorized user!^C



!



line con 0



login local



transport output telnet



line aux 0



login local



transport output telnet



line vty 0 4



privilege level 15



login local



transport input telnet ssh



line vty 5 15



privilege level 15



login local



transport input telnet ssh



!



scheduler allocate 4000 1000



scheduler interval 500



end





Any Suggestions?



We are using a virtual web hosting configuration on our servers with Windows
Server 2003 running IIS 6.0. Being as we only have two public IP's, virtual
hosting is the only method we can use for setting up multiple websites on
our server. So being able to access them publicly by Domain from within our
LAN is an absolute necessity being as we have no other way to view them.



Thanks,

Larry


 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      08-31-2004

"Larry" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We're transitioning from a consumer router to a Cisco 1721 with two wic
> 1-ethernet modules each connected to a DSL line (to load balance). This
> will
> be our connection to the web for a dozen computers, 2 web-DNS servers, and
> a
> mail-SQL server.
>
>
>
> We have entered the appropriate NAT translations for the servers. The
> problem is we cannot access our web sites (hosted on our servers) by their
> Public domain name on any computer from 'inside' our own local network
> (private). These same hosted web sites can be accessed fine publicly from
> networks on the 'outside', just not from within our LAN from their public
> domain. Did we miss something?


You need to nat the entire address instead of just the port. In which case
the dns answer will be modified to reflect the internal address (flush your
dns cache server and local pc). At this point, you must configure an access
list on your outside interfaces or you won't last long. Also, my guess is
you have the ip fw feature set as part of the vpn/fw bundle. If so, I would
definitely use it.

>
>
>
> Here are the details of our setup:
>
> We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(T1 and the Cisco
> SDM web management software Version 1.2 with 128 mb of Total Memory and 32
> mb of Flash Memory.
>
>
>
> Here is our current Running-config:
>
>
>
>
>
>
>
> Building configuration...
>
>
>
>
>
>
>
> Current configuration : 3056 bytes
>
>
>
> !
>
>
>
> version 12.3
>
>
>
> no service pad
>
>
>
> service tcp-keepalives-in
>
>
>
> service tcp-keepalives-out
>
>
>
> service timestamps debug datetime msec localtime show-timezone
>
>
>
> service timestamps log datetime msec localtime show-timezone
>
>
>
> service password-encryption
>
>
>
> service sequence-numbers
>
>
>
> !
>
>
>
> hostname xxxxxxx
>
>
>
> !
>
>
>
> boot-start-marker
>
>
>
> boot-end-marker
>
>
>
> !
>
>
>
> security authentication failure rate 3 log
>
>
>
> security passwords min-length 6
>
>
>
> logging buffered 51200 debugging
>
>
>
> logging console critical
>
>
>
> enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/
>
>
>
> !
>
>
>
> username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/
>
>
>
> clock timezone PCTime -8
>
>
>
> clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
>
>
>
> mmi polling-interval 60
>
>
>
> no mmi auto-configure
>
>
>
> no mmi pvc
>
>
>
> mmi snmp-timeout 180
>
>
>
> no aaa new-model
>
>
>
> ip subnet-zero
>
>
>
> no ip source-route
>
>
>
> ip cef
>
>
>
> !
>
>
>
> !
>
>
>
> ip tcp synwait-time 10
>
>
>
> ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99
>
>
>
> !
>
>
>
> ip dhcp pool sdm-pool1
>
>
>
> import all
>
>
>
> network 192.xxx.x.0 255.255.255.0
>
>
>
> dns-server 66.114.xxx.xxx 66.114.xxx.xxx
>
>
>
> default-router 192.xxx.x.1
>
>
>
> !
>
>
>
> !
>
>
>
> ip ips po max-events 100
>
>
>
> no ip bootp server
>
>
>
> ip domain name xxxxxxxx.com
>
>
>
> ip name-server 207.115.xx.x
>
>
>
> ip name-server 207.115.xx.x
>
>
>
> ip ssh time-out 60
>
>
>
> ip ssh authentication-retries 2
>
>
>
> no ftp-server write-enable
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> interface Ethernet0
>
>
>
> description $FW_OUTSIDE$$ETH-WAN$
>
>
>
> ip address 66.114.xxx.xxx 255.255.255.0
>
>
>
> no ip redirects
>
>
>
> no ip unreachables
>
>
>
> no ip proxy-arp
>
>
>
> ip nat outside
>
>
>
> ip virtual-reassembly
>
>
>
> ip route-cache flow
>
>
>
> half-duplex
>
>
>
> no cdp enable
>
>
>
> !
>
>
>
> interface Ethernet1
>
>
>
> no ip address
>
>
>
> no ip redirects
>
>
>
> no ip unreachables
>
>
>
> no ip proxy-arp
>
>
>
> ip route-cache flow
>
>
>
> shutdown
>
>
>
> half-duplex
>
>
>
> no cdp enable
>
>
>
> !
>
>
>
> interface FastEthernet0
>
>
>
> description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$
>
>
>
> ip address 192.xxx.x.1 255.255.255.0
>
>
>
> no ip redirects
>
>
>
> no ip unreachables
>
>
>
> no ip proxy-arp
>
>
>
> ip nat inside
>
>
>
> ip virtual-reassembly
>
>
>
> ip route-cache flow
>
>
>
> speed auto
>
>
>
> no cdp enable
>
>
>
> !
>
>
>
> ip classless
>
>
>
> ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx
>
>
>
> ip http server
>
>
>
> ip http authentication local
>
>
>
> ip http secure-server
>
>
>
> ip nat inside source list 1 interface Ethernet0 overload
>
>
>
> ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20
> extendable
>
>
>
> ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21
> extendable
>
>
>
> ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53
> extendable
>
>
>
> ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53
> extendable
>
>
>
> ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80
> extendable
>
>
>
> !
>
>
>
> !
>
>
>
> logging trap debugging
>
>
>
> access-list 1 remark INSIDE_IF=FastEthernet0
>
>
>
> access-list 1 remark SDM_ACL Category=2
>
>
>
> access-list 1 permit 192.xxx.x.0 0.0.0.255
>
>
>
> no cdp run
>
>
>
> !
>
>
>
> control-plane
>
>
>
> !
>
>
>
> banner login ^CAuthorized access only!
>
>
>
> Disconnect IMMEDIATELY if you are not an authorized user!^C
>
>
>
> !
>
>
>
> line con 0
>
>
>
> login local
>
>
>
> transport output telnet
>
>
>
> line aux 0
>
>
>
> login local
>
>
>
> transport output telnet
>
>
>
> line vty 0 4
>
>
>
> privilege level 15
>
>
>
> login local
>
>
>
> transport input telnet ssh
>
>
>
> line vty 5 15
>
>
>
> privilege level 15
>
>
>
> login local
>
>
>
> transport input telnet ssh
>
>
>
> !
>
>
>
> scheduler allocate 4000 1000
>
>
>
> scheduler interval 500
>
>
>
> end
>
>
>
>
>
> Any Suggestions?
>
>
>
> We are using a virtual web hosting configuration on our servers with
> Windows
> Server 2003 running IIS 6.0. Being as we only have two public IP's,
> virtual
> hosting is the only method we can use for setting up multiple websites on
> our server. So being able to access them publicly by Domain from within
> our
> LAN is an absolute necessity being as we have no other way to view them.
>
>
>
> Thanks,
>
> Larry
>
>



 
Reply With Quote
 
 
 
 
Josh
Guest
Posts: n/a
 
      08-31-2004
You need to setup an internal DNS server. You are currently querying
an external DNS server which is returning the public address. You
need something that will return the address that is assigned to the
server.

You can test this by putting the hostnames in the hosts file on your
pc.

Josh

"Larry" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> We're transitioning from a consumer router to a Cisco 1721 with two wic
> 1-ethernet modules each connected to a DSL line (to load balance). This will
> be our connection to the web for a dozen computers, 2 web-DNS servers, and a
> mail-SQL server.
>
>
>
> We have entered the appropriate NAT translations for the servers. The
> problem is we cannot access our web sites (hosted on our servers) by their
> Public domain name on any computer from 'inside' our own local network
> (private). These same hosted web sites can be accessed fine publicly from
> networks on the 'outside', just not from within our LAN from their public
> domain. Did we miss something?
>
>
>
> Here are the details of our setup:
>
> We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(T1 and the Cisco
> SDM web management software Version 1.2 with 128 mb of Total Memory and 32
> mb of Flash Memory.
>
>
>
> Here is our current Running-config:
>
>
>
>
>
>
>
> Building configuration...
>
>
>
>
>
>
>
> Current configuration : 3056 bytes
>
>
>
> !
>
>
>
> version 12.3
>
>
>
> no service pad
>
>
>
> service tcp-keepalives-in
>
>
>
> service tcp-keepalives-out
>
>
>
> service timestamps debug datetime msec localtime show-timezone
>
>
>
> service timestamps log datetime msec localtime show-timezone
>
>
>
> service password-encryption
>
>
>
> service sequence-numbers
>
>
>
> !
>
>
>
> hostname xxxxxxx
>
>
>
> !
>
>
>
> boot-start-marker
>
>
>
> boot-end-marker
>
>
>
> !
>
>
>
> security authentication failure rate 3 log
>
>
>
> security passwords min-length 6
>
>
>
> logging buffered 51200 debugging
>
>
>
> logging console critical
>
>
>
> enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/
>
>
>
> !
>
>
>
> username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/
>
>
>
> clock timezone PCTime -8
>
>
>
> clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
>
>
>
> mmi polling-interval 60
>
>
>
> no mmi auto-configure
>
>
>
> no mmi pvc
>
>
>
> mmi snmp-timeout 180
>
>
>
> no aaa new-model
>
>
>
> ip subnet-zero
>
>
>
> no ip source-route
>
>
>
> ip cef
>
>
>
> !
>
>
>
> !
>
>
>
> ip tcp synwait-time 10
>
>
>
> ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99
>
>
>
> !
>
>
>
> ip dhcp pool sdm-pool1
>
>
>
> import all
>
>
>
> network 192.xxx.x.0 255.255.255.0
>
>
>
> dns-server 66.114.xxx.xxx 66.114.xxx.xxx
>
>
>
> default-router 192.xxx.x.1
>
>
>
> !
>
>
>
> !
>
>
>
> ip ips po max-events 100
>
>
>
> no ip bootp server
>
>
>
> ip domain name xxxxxxxx.com
>
>
>
> ip name-server 207.115.xx.x
>
>
>
> ip name-server 207.115.xx.x
>
>
>
> ip ssh time-out 60
>
>
>
> ip ssh authentication-retries 2
>
>
>
> no ftp-server write-enable
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> !
>
>
>
> interface Ethernet0
>
>
>
> description $FW_OUTSIDE$$ETH-WAN$
>
>
>
> ip address 66.114.xxx.xxx 255.255.255.0
>
>
>
> no ip redirects
>
>
>
> no ip unreachables
>
>
>
> no ip proxy-arp
>
>
>
> ip nat outside
>
>
>
> ip virtual-reassembly
>
>
>
> ip route-cache flow
>
>
>
> half-duplex
>
>
>
> no cdp enable
>
>
>
> !
>
>
>
> interface Ethernet1
>
>
>
> no ip address
>
>
>
> no ip redirects
>
>
>
> no ip unreachables
>
>
>
> no ip proxy-arp
>
>
>
> ip route-cache flow
>
>
>
> shutdown
>
>
>
> half-duplex
>
>
>
> no cdp enable
>
>
>
> !
>
>
>
> interface FastEthernet0
>
>
>
> description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$
>
>
>
> ip address 192.xxx.x.1 255.255.255.0
>
>
>
> no ip redirects
>
>
>
> no ip unreachables
>
>
>
> no ip proxy-arp
>
>
>
> ip nat inside
>
>
>
> ip virtual-reassembly
>
>
>
> ip route-cache flow
>
>
>
> speed auto
>
>
>
> no cdp enable
>
>
>
> !
>
>
>
> ip classless
>
>
>
> ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx
>
>
>
> ip http server
>
>
>
> ip http authentication local
>
>
>
> ip http secure-server
>
>
>
> ip nat inside source list 1 interface Ethernet0 overload
>
>
>
> ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20 extendable
>
>
>
> ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21 extendable
>
>
>
> ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable
>
>
>
> ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable
>
>
>
> ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80 extendable
>
>
>
> !
>
>
>
> !
>
>
>
> logging trap debugging
>
>
>
> access-list 1 remark INSIDE_IF=FastEthernet0
>
>
>
> access-list 1 remark SDM_ACL Category=2
>
>
>
> access-list 1 permit 192.xxx.x.0 0.0.0.255
>
>
>
> no cdp run
>
>
>
> !
>
>
>
> control-plane
>
>
>
> !
>
>
>
> banner login ^CAuthorized access only!
>
>
>
> Disconnect IMMEDIATELY if you are not an authorized user!^C
>
>
>
> !
>
>
>
> line con 0
>
>
>
> login local
>
>
>
> transport output telnet
>
>
>
> line aux 0
>
>
>
> login local
>
>
>
> transport output telnet
>
>
>
> line vty 0 4
>
>
>
> privilege level 15
>
>
>
> login local
>
>
>
> transport input telnet ssh
>
>
>
> line vty 5 15
>
>
>
> privilege level 15
>
>
>
> login local
>
>
>
> transport input telnet ssh
>
>
>
> !
>
>
>
> scheduler allocate 4000 1000
>
>
>
> scheduler interval 500
>
>
>
> end
>
>
>
>
>
> Any Suggestions?
>
>
>
> We are using a virtual web hosting configuration on our servers with Windows
> Server 2003 running IIS 6.0. Being as we only have two public IP's, virtual
> hosting is the only method we can use for setting up multiple websites on
> our server. So being able to access them publicly by Domain from within our
> LAN is an absolute necessity being as we have no other way to view them.
>
>
>
> Thanks,
>
> Larry

 
Reply With Quote
 
Josh
Guest
Posts: n/a
 
      08-31-2004
I didn't realize IOS would do the DNS translation. I thought that was
only available on the PIX. Please ignore my previous suggestion.

http://www.velocityreviews.com/forums/(E-Mail Removed) (Josh) wrote in message news:<(E-Mail Removed) om>...
> You need to setup an internal DNS server. You are currently querying
> an external DNS server which is returning the public address. You
> need something that will return the address that is assigned to the
> server.
>
> You can test this by putting the hostnames in the hosts file on your
> pc.
>
> Josh
>
> "Larry" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> > We're transitioning from a consumer router to a Cisco 1721 with two wic
> > 1-ethernet modules each connected to a DSL line (to load balance). This will
> > be our connection to the web for a dozen computers, 2 web-DNS servers, and a
> > mail-SQL server.
> >
> >
> >
> > We have entered the appropriate NAT translations for the servers. The
> > problem is we cannot access our web sites (hosted on our servers) by their
> > Public domain name on any computer from 'inside' our own local network
> > (private). These same hosted web sites can be accessed fine publicly from
> > networks on the 'outside', just not from within our LAN from their public
> > domain. Did we miss something?
> >
> >
> >
> > Here are the details of our setup:
> >
> > We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(T1 and the Cisco
> > SDM web management software Version 1.2 with 128 mb of Total Memory and 32
> > mb of Flash Memory.
> >
> >
> >
> > Here is our current Running-config:
> >
> >
> >
> >
> >
> >
> >
> > Building configuration...
> >
> >
> >
> >
> >
> >
> >
> > Current configuration : 3056 bytes
> >
> >
> >
> > !
> >
> >
> >
> > version 12.3
> >
> >
> >
> > no service pad
> >
> >
> >
> > service tcp-keepalives-in
> >
> >
> >
> > service tcp-keepalives-out
> >
> >
> >
> > service timestamps debug datetime msec localtime show-timezone
> >
> >
> >
> > service timestamps log datetime msec localtime show-timezone
> >
> >
> >
> > service password-encryption
> >
> >
> >
> > service sequence-numbers
> >
> >
> >
> > !
> >
> >
> >
> > hostname xxxxxxx
> >
> >
> >
> > !
> >
> >
> >
> > boot-start-marker
> >
> >
> >
> > boot-end-marker
> >
> >
> >
> > !
> >
> >
> >
> > security authentication failure rate 3 log
> >
> >
> >
> > security passwords min-length 6
> >
> >
> >
> > logging buffered 51200 debugging
> >
> >
> >
> > logging console critical
> >
> >
> >
> > enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/
> >
> >
> >
> > !
> >
> >
> >
> > username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/
> >
> >
> >
> > clock timezone PCTime -8
> >
> >
> >
> > clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
> >
> >
> >
> > mmi polling-interval 60
> >
> >
> >
> > no mmi auto-configure
> >
> >
> >
> > no mmi pvc
> >
> >
> >
> > mmi snmp-timeout 180
> >
> >
> >
> > no aaa new-model
> >
> >
> >
> > ip subnet-zero
> >
> >
> >
> > no ip source-route
> >
> >
> >
> > ip cef
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > ip tcp synwait-time 10
> >
> >
> >
> > ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99
> >
> >
> >
> > !
> >
> >
> >
> > ip dhcp pool sdm-pool1
> >
> >
> >
> > import all
> >
> >
> >
> > network 192.xxx.x.0 255.255.255.0
> >
> >
> >
> > dns-server 66.114.xxx.xxx 66.114.xxx.xxx
> >
> >
> >
> > default-router 192.xxx.x.1
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > ip ips po max-events 100
> >
> >
> >
> > no ip bootp server
> >
> >
> >
> > ip domain name xxxxxxxx.com
> >
> >
> >
> > ip name-server 207.115.xx.x
> >
> >
> >
> > ip name-server 207.115.xx.x
> >
> >
> >
> > ip ssh time-out 60
> >
> >
> >
> > ip ssh authentication-retries 2
> >
> >
> >
> > no ftp-server write-enable
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > interface Ethernet0
> >
> >
> >
> > description $FW_OUTSIDE$$ETH-WAN$
> >
> >
> >
> > ip address 66.114.xxx.xxx 255.255.255.0
> >
> >
> >
> > no ip redirects
> >
> >
> >
> > no ip unreachables
> >
> >
> >
> > no ip proxy-arp
> >
> >
> >
> > ip nat outside
> >
> >
> >
> > ip virtual-reassembly
> >
> >
> >
> > ip route-cache flow
> >
> >
> >
> > half-duplex
> >
> >
> >
> > no cdp enable
> >
> >
> >
> > !
> >
> >
> >
> > interface Ethernet1
> >
> >
> >
> > no ip address
> >
> >
> >
> > no ip redirects
> >
> >
> >
> > no ip unreachables
> >
> >
> >
> > no ip proxy-arp
> >
> >
> >
> > ip route-cache flow
> >
> >
> >
> > shutdown
> >
> >
> >
> > half-duplex
> >
> >
> >
> > no cdp enable
> >
> >
> >
> > !
> >
> >
> >
> > interface FastEthernet0
> >
> >
> >
> > description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$
> >
> >
> >
> > ip address 192.xxx.x.1 255.255.255.0
> >
> >
> >
> > no ip redirects
> >
> >
> >
> > no ip unreachables
> >
> >
> >
> > no ip proxy-arp
> >
> >
> >
> > ip nat inside
> >
> >
> >
> > ip virtual-reassembly
> >
> >
> >
> > ip route-cache flow
> >
> >
> >
> > speed auto
> >
> >
> >
> > no cdp enable
> >
> >
> >
> > !
> >
> >
> >
> > ip classless
> >
> >
> >
> > ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx
> >
> >
> >
> > ip http server
> >
> >
> >
> > ip http authentication local
> >
> >
> >
> > ip http secure-server
> >
> >
> >
> > ip nat inside source list 1 interface Ethernet0 overload
> >
> >
> >
> > ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20 extendable
> >
> >
> >
> > ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21 extendable
> >
> >
> >
> > ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable
> >
> >
> >
> > ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable
> >
> >
> >
> > ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80 extendable
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > logging trap debugging
> >
> >
> >
> > access-list 1 remark INSIDE_IF=FastEthernet0
> >
> >
> >
> > access-list 1 remark SDM_ACL Category=2
> >
> >
> >
> > access-list 1 permit 192.xxx.x.0 0.0.0.255
> >
> >
> >
> > no cdp run
> >
> >
> >
> > !
> >
> >
> >
> > control-plane
> >
> >
> >
> > !
> >
> >
> >
> > banner login ^CAuthorized access only!
> >
> >
> >
> > Disconnect IMMEDIATELY if you are not an authorized user!^C
> >
> >
> >
> > !
> >
> >
> >
> > line con 0
> >
> >
> >
> > login local
> >
> >
> >
> > transport output telnet
> >
> >
> >
> > line aux 0
> >
> >
> >
> > login local
> >
> >
> >
> > transport output telnet
> >
> >
> >
> > line vty 0 4
> >
> >
> >
> > privilege level 15
> >
> >
> >
> > login local
> >
> >
> >
> > transport input telnet ssh
> >
> >
> >
> > line vty 5 15
> >
> >
> >
> > privilege level 15
> >
> >
> >
> > login local
> >
> >
> >
> > transport input telnet ssh
> >
> >
> >
> > !
> >
> >
> >
> > scheduler allocate 4000 1000
> >
> >
> >
> > scheduler interval 500
> >
> >
> >
> > end
> >
> >
> >
> >
> >
> > Any Suggestions?
> >
> >
> >
> > We are using a virtual web hosting configuration on our servers with Windows
> > Server 2003 running IIS 6.0. Being as we only have two public IP's, virtual
> > hosting is the only method we can use for setting up multiple websites on
> > our server. So being able to access them publicly by Domain from within our
> > LAN is an absolute necessity being as we have no other way to view them.
> >
> >
> >
> > Thanks,
> >
> > Larry

 
Reply With Quote
 
Larry
Guest
Posts: n/a
 
      09-01-2004
Thanks for the input folks. Thursday is the network 'work day' so I'll apply
your suggestions.
Thanks!
Larry

"PES" <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote in message
news:413455d6$(E-Mail Removed)...
>
> "Larry" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > We're transitioning from a consumer router to a Cisco 1721 with two wic
> > 1-ethernet modules each connected to a DSL line (to load balance). This
> > will
> > be our connection to the web for a dozen computers, 2 web-DNS servers,

and
> > a
> > mail-SQL server.
> >
> >
> >
> > We have entered the appropriate NAT translations for the servers. The
> > problem is we cannot access our web sites (hosted on our servers) by

their
> > Public domain name on any computer from 'inside' our own local network
> > (private). These same hosted web sites can be accessed fine publicly

from
> > networks on the 'outside', just not from within our LAN from their

public
> > domain. Did we miss something?

>
> You need to nat the entire address instead of just the port. In which

case
> the dns answer will be modified to reflect the internal address (flush

your
> dns cache server and local pc). At this point, you must configure an

access
> list on your outside interfaces or you won't last long. Also, my guess is
> you have the ip fw feature set as part of the vpn/fw bundle. If so, I

would
> definitely use it.
>
> >
> >
> >
> > Here are the details of our setup:
> >
> > We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(T1 and the

Cisco
> > SDM web management software Version 1.2 with 128 mb of Total Memory and

32
> > mb of Flash Memory.
> >
> >
> >
> > Here is our current Running-config:
> >
> >
> >
> >
> >
> >
> >
> > Building configuration...
> >
> >
> >
> >
> >
> >
> >
> > Current configuration : 3056 bytes
> >
> >
> >
> > !
> >
> >
> >
> > version 12.3
> >
> >
> >
> > no service pad
> >
> >
> >
> > service tcp-keepalives-in
> >
> >
> >
> > service tcp-keepalives-out
> >
> >
> >
> > service timestamps debug datetime msec localtime show-timezone
> >
> >
> >
> > service timestamps log datetime msec localtime show-timezone
> >
> >
> >
> > service password-encryption
> >
> >
> >
> > service sequence-numbers
> >
> >
> >
> > !
> >
> >
> >
> > hostname xxxxxxx
> >
> >
> >
> > !
> >
> >
> >
> > boot-start-marker
> >
> >
> >
> > boot-end-marker
> >
> >
> >
> > !
> >
> >
> >
> > security authentication failure rate 3 log
> >
> >
> >
> > security passwords min-length 6
> >
> >
> >
> > logging buffered 51200 debugging
> >
> >
> >
> > logging console critical
> >
> >
> >
> > enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/
> >
> >
> >
> > !
> >
> >
> >
> > username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/
> >
> >
> >
> > clock timezone PCTime -8
> >
> >
> >
> > clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
> >
> >
> >
> > mmi polling-interval 60
> >
> >
> >
> > no mmi auto-configure
> >
> >
> >
> > no mmi pvc
> >
> >
> >
> > mmi snmp-timeout 180
> >
> >
> >
> > no aaa new-model
> >
> >
> >
> > ip subnet-zero
> >
> >
> >
> > no ip source-route
> >
> >
> >
> > ip cef
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > ip tcp synwait-time 10
> >
> >
> >
> > ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99
> >
> >
> >
> > !
> >
> >
> >
> > ip dhcp pool sdm-pool1
> >
> >
> >
> > import all
> >
> >
> >
> > network 192.xxx.x.0 255.255.255.0
> >
> >
> >
> > dns-server 66.114.xxx.xxx 66.114.xxx.xxx
> >
> >
> >
> > default-router 192.xxx.x.1
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > ip ips po max-events 100
> >
> >
> >
> > no ip bootp server
> >
> >
> >
> > ip domain name xxxxxxxx.com
> >
> >
> >
> > ip name-server 207.115.xx.x
> >
> >
> >
> > ip name-server 207.115.xx.x
> >
> >
> >
> > ip ssh time-out 60
> >
> >
> >
> > ip ssh authentication-retries 2
> >
> >
> >
> > no ftp-server write-enable
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > interface Ethernet0
> >
> >
> >
> > description $FW_OUTSIDE$$ETH-WAN$
> >
> >
> >
> > ip address 66.114.xxx.xxx 255.255.255.0
> >
> >
> >
> > no ip redirects
> >
> >
> >
> > no ip unreachables
> >
> >
> >
> > no ip proxy-arp
> >
> >
> >
> > ip nat outside
> >
> >
> >
> > ip virtual-reassembly
> >
> >
> >
> > ip route-cache flow
> >
> >
> >
> > half-duplex
> >
> >
> >
> > no cdp enable
> >
> >
> >
> > !
> >
> >
> >
> > interface Ethernet1
> >
> >
> >
> > no ip address
> >
> >
> >
> > no ip redirects
> >
> >
> >
> > no ip unreachables
> >
> >
> >
> > no ip proxy-arp
> >
> >
> >
> > ip route-cache flow
> >
> >
> >
> > shutdown
> >
> >
> >
> > half-duplex
> >
> >
> >
> > no cdp enable
> >
> >
> >
> > !
> >
> >
> >
> > interface FastEthernet0
> >
> >
> >
> > description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$
> >
> >
> >
> > ip address 192.xxx.x.1 255.255.255.0
> >
> >
> >
> > no ip redirects
> >
> >
> >
> > no ip unreachables
> >
> >
> >
> > no ip proxy-arp
> >
> >
> >
> > ip nat inside
> >
> >
> >
> > ip virtual-reassembly
> >
> >
> >
> > ip route-cache flow
> >
> >
> >
> > speed auto
> >
> >
> >
> > no cdp enable
> >
> >
> >
> > !
> >
> >
> >
> > ip classless
> >
> >
> >
> > ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx
> >
> >
> >
> > ip http server
> >
> >
> >
> > ip http authentication local
> >
> >
> >
> > ip http secure-server
> >
> >
> >
> > ip nat inside source list 1 interface Ethernet0 overload
> >
> >
> >
> > ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20
> > extendable
> >
> >
> >
> > ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21
> > extendable
> >
> >
> >
> > ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53
> > extendable
> >
> >
> >
> > ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53
> > extendable
> >
> >
> >
> > ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80
> > extendable
> >
> >
> >
> > !
> >
> >
> >
> > !
> >
> >
> >
> > logging trap debugging
> >
> >
> >
> > access-list 1 remark INSIDE_IF=FastEthernet0
> >
> >
> >
> > access-list 1 remark SDM_ACL Category=2
> >
> >
> >
> > access-list 1 permit 192.xxx.x.0 0.0.0.255
> >
> >
> >
> > no cdp run
> >
> >
> >
> > !
> >
> >
> >
> > control-plane
> >
> >
> >
> > !
> >
> >
> >
> > banner login ^CAuthorized access only!
> >
> >
> >
> > Disconnect IMMEDIATELY if you are not an authorized user!^C
> >
> >
> >
> > !
> >
> >
> >
> > line con 0
> >
> >
> >
> > login local
> >
> >
> >
> > transport output telnet
> >
> >
> >
> > line aux 0
> >
> >
> >
> > login local
> >
> >
> >
> > transport output telnet
> >
> >
> >
> > line vty 0 4
> >
> >
> >
> > privilege level 15
> >
> >
> >
> > login local
> >
> >
> >
> > transport input telnet ssh
> >
> >
> >
> > line vty 5 15
> >
> >
> >
> > privilege level 15
> >
> >
> >
> > login local
> >
> >
> >
> > transport input telnet ssh
> >
> >
> >
> > !
> >
> >
> >
> > scheduler allocate 4000 1000
> >
> >
> >
> > scheduler interval 500
> >
> >
> >
> > end
> >
> >
> >
> >
> >
> > Any Suggestions?
> >
> >
> >
> > We are using a virtual web hosting configuration on our servers with
> > Windows
> > Server 2003 running IIS 6.0. Being as we only have two public IP's,
> > virtual
> > hosting is the only method we can use for setting up multiple websites

on
> > our server. So being able to access them publicly by Domain from within
> > our
> > LAN is an absolute necessity being as we have no other way to view them.
> >
> >
> >
> > Thanks,
> >
> > Larry
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco VPN client and 1721 router as IOS CA?? Jac Backus Cisco 0 05-02-2005 02:10 PM
1721 connect to Pix 515 - which IOS for 1721? Scooter Cisco 1 02-25-2005 08:06 PM
Cisco 1721 Router configuration T1 HELP, new to this dr_rockstar66 Cisco 2 02-05-2005 10:11 PM
Cisco 1721 Series Router - CIR Rate Paul Cisco 1 09-21-2004 10:55 AM
Reset cisco router 1721 Said SIM Cisco 1 05-01-2004 02:44 PM



Advertisments