Cisco 1721 Router Help

Discussion in 'Cisco' started by Larry, Aug 31, 2004.

  1. Larry

    Larry Guest

    We're transitioning from a consumer router to a Cisco 1721 with two wic
    1-ethernet modules each connected to a DSL line (to load balance). This will
    be our connection to the web for a dozen computers, 2 web-DNS servers, and a
    mail-SQL server.



    We have entered the appropriate NAT translations for the servers. The
    problem is we cannot access our web sites (hosted on our servers) by their
    Public domain name on any computer from 'inside' our own local network
    (private). These same hosted web sites can be accessed fine publicly from
    networks on the 'outside', just not from within our LAN from their public
    domain. Did we miss something?



    Here are the details of our setup:

    We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(8)T1 and the Cisco
    SDM web management software Version 1.2 with 128 mb of Total Memory and 32
    mb of Flash Memory.



    Here is our current Running-config:







    Building configuration...







    Current configuration : 3056 bytes



    !



    version 12.3



    no service pad



    service tcp-keepalives-in



    service tcp-keepalives-out



    service timestamps debug datetime msec localtime show-timezone



    service timestamps log datetime msec localtime show-timezone



    service password-encryption



    service sequence-numbers



    !



    hostname xxxxxxx



    !



    boot-start-marker



    boot-end-marker



    !



    security authentication failure rate 3 log



    security passwords min-length 6



    logging buffered 51200 debugging



    logging console critical



    enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/



    !



    username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/



    clock timezone PCTime -8



    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00



    mmi polling-interval 60



    no mmi auto-configure



    no mmi pvc



    mmi snmp-timeout 180



    no aaa new-model



    ip subnet-zero



    no ip source-route



    ip cef



    !



    !



    ip tcp synwait-time 10



    ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99



    !



    ip dhcp pool sdm-pool1



    import all



    network 192.xxx.x.0 255.255.255.0



    dns-server 66.114.xxx.xxx 66.114.xxx.xxx



    default-router 192.xxx.x.1



    !



    !



    ip ips po max-events 100



    no ip bootp server



    ip domain name xxxxxxxx.com



    ip name-server 207.115.xx.x



    ip name-server 207.115.xx.x



    ip ssh time-out 60



    ip ssh authentication-retries 2



    no ftp-server write-enable



    !



    !



    !



    !



    !



    !



    !



    !



    interface Ethernet0



    description $FW_OUTSIDE$$ETH-WAN$



    ip address 66.114.xxx.xxx 255.255.255.0



    no ip redirects



    no ip unreachables



    no ip proxy-arp



    ip nat outside



    ip virtual-reassembly



    ip route-cache flow



    half-duplex



    no cdp enable



    !



    interface Ethernet1



    no ip address



    no ip redirects



    no ip unreachables



    no ip proxy-arp



    ip route-cache flow



    shutdown



    half-duplex



    no cdp enable



    !



    interface FastEthernet0



    description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$



    ip address 192.xxx.x.1 255.255.255.0



    no ip redirects



    no ip unreachables



    no ip proxy-arp



    ip nat inside



    ip virtual-reassembly



    ip route-cache flow



    speed auto



    no cdp enable



    !



    ip classless



    ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx



    ip http server



    ip http authentication local



    ip http secure-server



    ip nat inside source list 1 interface Ethernet0 overload



    ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20 extendable



    ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21 extendable



    ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable



    ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable



    ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80 extendable



    !



    !



    logging trap debugging



    access-list 1 remark INSIDE_IF=FastEthernet0



    access-list 1 remark SDM_ACL Category=2



    access-list 1 permit 192.xxx.x.0 0.0.0.255



    no cdp run



    !



    control-plane



    !



    banner login ^CAuthorized access only!



    Disconnect IMMEDIATELY if you are not an authorized user!^C



    !



    line con 0



    login local



    transport output telnet



    line aux 0



    login local



    transport output telnet



    line vty 0 4



    privilege level 15



    login local



    transport input telnet ssh



    line vty 5 15



    privilege level 15



    login local



    transport input telnet ssh



    !



    scheduler allocate 4000 1000



    scheduler interval 500



    end





    Any Suggestions?



    We are using a virtual web hosting configuration on our servers with Windows
    Server 2003 running IIS 6.0. Being as we only have two public IP's, virtual
    hosting is the only method we can use for setting up multiple websites on
    our server. So being able to access them publicly by Domain from within our
    LAN is an absolute necessity being as we have no other way to view them.



    Thanks,

    Larry
     
    Larry, Aug 31, 2004
    #1
    1. Advertising

  2. Larry

    PES Guest

    "Larry" <> wrote in message
    news:...
    > We're transitioning from a consumer router to a Cisco 1721 with two wic
    > 1-ethernet modules each connected to a DSL line (to load balance). This
    > will
    > be our connection to the web for a dozen computers, 2 web-DNS servers, and
    > a
    > mail-SQL server.
    >
    >
    >
    > We have entered the appropriate NAT translations for the servers. The
    > problem is we cannot access our web sites (hosted on our servers) by their
    > Public domain name on any computer from 'inside' our own local network
    > (private). These same hosted web sites can be accessed fine publicly from
    > networks on the 'outside', just not from within our LAN from their public
    > domain. Did we miss something?


    You need to nat the entire address instead of just the port. In which case
    the dns answer will be modified to reflect the internal address (flush your
    dns cache server and local pc). At this point, you must configure an access
    list on your outside interfaces or you won't last long. Also, my guess is
    you have the ip fw feature set as part of the vpn/fw bundle. If so, I would
    definitely use it.

    >
    >
    >
    > Here are the details of our setup:
    >
    > We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(8)T1 and the Cisco
    > SDM web management software Version 1.2 with 128 mb of Total Memory and 32
    > mb of Flash Memory.
    >
    >
    >
    > Here is our current Running-config:
    >
    >
    >
    >
    >
    >
    >
    > Building configuration...
    >
    >
    >
    >
    >
    >
    >
    > Current configuration : 3056 bytes
    >
    >
    >
    > !
    >
    >
    >
    > version 12.3
    >
    >
    >
    > no service pad
    >
    >
    >
    > service tcp-keepalives-in
    >
    >
    >
    > service tcp-keepalives-out
    >
    >
    >
    > service timestamps debug datetime msec localtime show-timezone
    >
    >
    >
    > service timestamps log datetime msec localtime show-timezone
    >
    >
    >
    > service password-encryption
    >
    >
    >
    > service sequence-numbers
    >
    >
    >
    > !
    >
    >
    >
    > hostname xxxxxxx
    >
    >
    >
    > !
    >
    >
    >
    > boot-start-marker
    >
    >
    >
    > boot-end-marker
    >
    >
    >
    > !
    >
    >
    >
    > security authentication failure rate 3 log
    >
    >
    >
    > security passwords min-length 6
    >
    >
    >
    > logging buffered 51200 debugging
    >
    >
    >
    > logging console critical
    >
    >
    >
    > enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/
    >
    >
    >
    > !
    >
    >
    >
    > username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/
    >
    >
    >
    > clock timezone PCTime -8
    >
    >
    >
    > clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    >
    >
    >
    > mmi polling-interval 60
    >
    >
    >
    > no mmi auto-configure
    >
    >
    >
    > no mmi pvc
    >
    >
    >
    > mmi snmp-timeout 180
    >
    >
    >
    > no aaa new-model
    >
    >
    >
    > ip subnet-zero
    >
    >
    >
    > no ip source-route
    >
    >
    >
    > ip cef
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > ip tcp synwait-time 10
    >
    >
    >
    > ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99
    >
    >
    >
    > !
    >
    >
    >
    > ip dhcp pool sdm-pool1
    >
    >
    >
    > import all
    >
    >
    >
    > network 192.xxx.x.0 255.255.255.0
    >
    >
    >
    > dns-server 66.114.xxx.xxx 66.114.xxx.xxx
    >
    >
    >
    > default-router 192.xxx.x.1
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > ip ips po max-events 100
    >
    >
    >
    > no ip bootp server
    >
    >
    >
    > ip domain name xxxxxxxx.com
    >
    >
    >
    > ip name-server 207.115.xx.x
    >
    >
    >
    > ip name-server 207.115.xx.x
    >
    >
    >
    > ip ssh time-out 60
    >
    >
    >
    > ip ssh authentication-retries 2
    >
    >
    >
    > no ftp-server write-enable
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > interface Ethernet0
    >
    >
    >
    > description $FW_OUTSIDE$$ETH-WAN$
    >
    >
    >
    > ip address 66.114.xxx.xxx 255.255.255.0
    >
    >
    >
    > no ip redirects
    >
    >
    >
    > no ip unreachables
    >
    >
    >
    > no ip proxy-arp
    >
    >
    >
    > ip nat outside
    >
    >
    >
    > ip virtual-reassembly
    >
    >
    >
    > ip route-cache flow
    >
    >
    >
    > half-duplex
    >
    >
    >
    > no cdp enable
    >
    >
    >
    > !
    >
    >
    >
    > interface Ethernet1
    >
    >
    >
    > no ip address
    >
    >
    >
    > no ip redirects
    >
    >
    >
    > no ip unreachables
    >
    >
    >
    > no ip proxy-arp
    >
    >
    >
    > ip route-cache flow
    >
    >
    >
    > shutdown
    >
    >
    >
    > half-duplex
    >
    >
    >
    > no cdp enable
    >
    >
    >
    > !
    >
    >
    >
    > interface FastEthernet0
    >
    >
    >
    > description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$
    >
    >
    >
    > ip address 192.xxx.x.1 255.255.255.0
    >
    >
    >
    > no ip redirects
    >
    >
    >
    > no ip unreachables
    >
    >
    >
    > no ip proxy-arp
    >
    >
    >
    > ip nat inside
    >
    >
    >
    > ip virtual-reassembly
    >
    >
    >
    > ip route-cache flow
    >
    >
    >
    > speed auto
    >
    >
    >
    > no cdp enable
    >
    >
    >
    > !
    >
    >
    >
    > ip classless
    >
    >
    >
    > ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx
    >
    >
    >
    > ip http server
    >
    >
    >
    > ip http authentication local
    >
    >
    >
    > ip http secure-server
    >
    >
    >
    > ip nat inside source list 1 interface Ethernet0 overload
    >
    >
    >
    > ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20
    > extendable
    >
    >
    >
    > ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21
    > extendable
    >
    >
    >
    > ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53
    > extendable
    >
    >
    >
    > ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53
    > extendable
    >
    >
    >
    > ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80
    > extendable
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > logging trap debugging
    >
    >
    >
    > access-list 1 remark INSIDE_IF=FastEthernet0
    >
    >
    >
    > access-list 1 remark SDM_ACL Category=2
    >
    >
    >
    > access-list 1 permit 192.xxx.x.0 0.0.0.255
    >
    >
    >
    > no cdp run
    >
    >
    >
    > !
    >
    >
    >
    > control-plane
    >
    >
    >
    > !
    >
    >
    >
    > banner login ^CAuthorized access only!
    >
    >
    >
    > Disconnect IMMEDIATELY if you are not an authorized user!^C
    >
    >
    >
    > !
    >
    >
    >
    > line con 0
    >
    >
    >
    > login local
    >
    >
    >
    > transport output telnet
    >
    >
    >
    > line aux 0
    >
    >
    >
    > login local
    >
    >
    >
    > transport output telnet
    >
    >
    >
    > line vty 0 4
    >
    >
    >
    > privilege level 15
    >
    >
    >
    > login local
    >
    >
    >
    > transport input telnet ssh
    >
    >
    >
    > line vty 5 15
    >
    >
    >
    > privilege level 15
    >
    >
    >
    > login local
    >
    >
    >
    > transport input telnet ssh
    >
    >
    >
    > !
    >
    >
    >
    > scheduler allocate 4000 1000
    >
    >
    >
    > scheduler interval 500
    >
    >
    >
    > end
    >
    >
    >
    >
    >
    > Any Suggestions?
    >
    >
    >
    > We are using a virtual web hosting configuration on our servers with
    > Windows
    > Server 2003 running IIS 6.0. Being as we only have two public IP's,
    > virtual
    > hosting is the only method we can use for setting up multiple websites on
    > our server. So being able to access them publicly by Domain from within
    > our
    > LAN is an absolute necessity being as we have no other way to view them.
    >
    >
    >
    > Thanks,
    >
    > Larry
    >
    >
     
    PES, Aug 31, 2004
    #2
    1. Advertising

  3. Larry

    Josh Guest

    You need to setup an internal DNS server. You are currently querying
    an external DNS server which is returning the public address. You
    need something that will return the address that is assigned to the
    server.

    You can test this by putting the hostnames in the hosts file on your
    pc.

    Josh

    "Larry" <> wrote in message news:<>...
    > We're transitioning from a consumer router to a Cisco 1721 with two wic
    > 1-ethernet modules each connected to a DSL line (to load balance). This will
    > be our connection to the web for a dozen computers, 2 web-DNS servers, and a
    > mail-SQL server.
    >
    >
    >
    > We have entered the appropriate NAT translations for the servers. The
    > problem is we cannot access our web sites (hosted on our servers) by their
    > Public domain name on any computer from 'inside' our own local network
    > (private). These same hosted web sites can be accessed fine publicly from
    > networks on the 'outside', just not from within our LAN from their public
    > domain. Did we miss something?
    >
    >
    >
    > Here are the details of our setup:
    >
    > We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(8)T1 and the Cisco
    > SDM web management software Version 1.2 with 128 mb of Total Memory and 32
    > mb of Flash Memory.
    >
    >
    >
    > Here is our current Running-config:
    >
    >
    >
    >
    >
    >
    >
    > Building configuration...
    >
    >
    >
    >
    >
    >
    >
    > Current configuration : 3056 bytes
    >
    >
    >
    > !
    >
    >
    >
    > version 12.3
    >
    >
    >
    > no service pad
    >
    >
    >
    > service tcp-keepalives-in
    >
    >
    >
    > service tcp-keepalives-out
    >
    >
    >
    > service timestamps debug datetime msec localtime show-timezone
    >
    >
    >
    > service timestamps log datetime msec localtime show-timezone
    >
    >
    >
    > service password-encryption
    >
    >
    >
    > service sequence-numbers
    >
    >
    >
    > !
    >
    >
    >
    > hostname xxxxxxx
    >
    >
    >
    > !
    >
    >
    >
    > boot-start-marker
    >
    >
    >
    > boot-end-marker
    >
    >
    >
    > !
    >
    >
    >
    > security authentication failure rate 3 log
    >
    >
    >
    > security passwords min-length 6
    >
    >
    >
    > logging buffered 51200 debugging
    >
    >
    >
    > logging console critical
    >
    >
    >
    > enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/
    >
    >
    >
    > !
    >
    >
    >
    > username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/
    >
    >
    >
    > clock timezone PCTime -8
    >
    >
    >
    > clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    >
    >
    >
    > mmi polling-interval 60
    >
    >
    >
    > no mmi auto-configure
    >
    >
    >
    > no mmi pvc
    >
    >
    >
    > mmi snmp-timeout 180
    >
    >
    >
    > no aaa new-model
    >
    >
    >
    > ip subnet-zero
    >
    >
    >
    > no ip source-route
    >
    >
    >
    > ip cef
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > ip tcp synwait-time 10
    >
    >
    >
    > ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99
    >
    >
    >
    > !
    >
    >
    >
    > ip dhcp pool sdm-pool1
    >
    >
    >
    > import all
    >
    >
    >
    > network 192.xxx.x.0 255.255.255.0
    >
    >
    >
    > dns-server 66.114.xxx.xxx 66.114.xxx.xxx
    >
    >
    >
    > default-router 192.xxx.x.1
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > ip ips po max-events 100
    >
    >
    >
    > no ip bootp server
    >
    >
    >
    > ip domain name xxxxxxxx.com
    >
    >
    >
    > ip name-server 207.115.xx.x
    >
    >
    >
    > ip name-server 207.115.xx.x
    >
    >
    >
    > ip ssh time-out 60
    >
    >
    >
    > ip ssh authentication-retries 2
    >
    >
    >
    > no ftp-server write-enable
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > interface Ethernet0
    >
    >
    >
    > description $FW_OUTSIDE$$ETH-WAN$
    >
    >
    >
    > ip address 66.114.xxx.xxx 255.255.255.0
    >
    >
    >
    > no ip redirects
    >
    >
    >
    > no ip unreachables
    >
    >
    >
    > no ip proxy-arp
    >
    >
    >
    > ip nat outside
    >
    >
    >
    > ip virtual-reassembly
    >
    >
    >
    > ip route-cache flow
    >
    >
    >
    > half-duplex
    >
    >
    >
    > no cdp enable
    >
    >
    >
    > !
    >
    >
    >
    > interface Ethernet1
    >
    >
    >
    > no ip address
    >
    >
    >
    > no ip redirects
    >
    >
    >
    > no ip unreachables
    >
    >
    >
    > no ip proxy-arp
    >
    >
    >
    > ip route-cache flow
    >
    >
    >
    > shutdown
    >
    >
    >
    > half-duplex
    >
    >
    >
    > no cdp enable
    >
    >
    >
    > !
    >
    >
    >
    > interface FastEthernet0
    >
    >
    >
    > description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$
    >
    >
    >
    > ip address 192.xxx.x.1 255.255.255.0
    >
    >
    >
    > no ip redirects
    >
    >
    >
    > no ip unreachables
    >
    >
    >
    > no ip proxy-arp
    >
    >
    >
    > ip nat inside
    >
    >
    >
    > ip virtual-reassembly
    >
    >
    >
    > ip route-cache flow
    >
    >
    >
    > speed auto
    >
    >
    >
    > no cdp enable
    >
    >
    >
    > !
    >
    >
    >
    > ip classless
    >
    >
    >
    > ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx
    >
    >
    >
    > ip http server
    >
    >
    >
    > ip http authentication local
    >
    >
    >
    > ip http secure-server
    >
    >
    >
    > ip nat inside source list 1 interface Ethernet0 overload
    >
    >
    >
    > ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20 extendable
    >
    >
    >
    > ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21 extendable
    >
    >
    >
    > ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable
    >
    >
    >
    > ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable
    >
    >
    >
    > ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80 extendable
    >
    >
    >
    > !
    >
    >
    >
    > !
    >
    >
    >
    > logging trap debugging
    >
    >
    >
    > access-list 1 remark INSIDE_IF=FastEthernet0
    >
    >
    >
    > access-list 1 remark SDM_ACL Category=2
    >
    >
    >
    > access-list 1 permit 192.xxx.x.0 0.0.0.255
    >
    >
    >
    > no cdp run
    >
    >
    >
    > !
    >
    >
    >
    > control-plane
    >
    >
    >
    > !
    >
    >
    >
    > banner login ^CAuthorized access only!
    >
    >
    >
    > Disconnect IMMEDIATELY if you are not an authorized user!^C
    >
    >
    >
    > !
    >
    >
    >
    > line con 0
    >
    >
    >
    > login local
    >
    >
    >
    > transport output telnet
    >
    >
    >
    > line aux 0
    >
    >
    >
    > login local
    >
    >
    >
    > transport output telnet
    >
    >
    >
    > line vty 0 4
    >
    >
    >
    > privilege level 15
    >
    >
    >
    > login local
    >
    >
    >
    > transport input telnet ssh
    >
    >
    >
    > line vty 5 15
    >
    >
    >
    > privilege level 15
    >
    >
    >
    > login local
    >
    >
    >
    > transport input telnet ssh
    >
    >
    >
    > !
    >
    >
    >
    > scheduler allocate 4000 1000
    >
    >
    >
    > scheduler interval 500
    >
    >
    >
    > end
    >
    >
    >
    >
    >
    > Any Suggestions?
    >
    >
    >
    > We are using a virtual web hosting configuration on our servers with Windows
    > Server 2003 running IIS 6.0. Being as we only have two public IP's, virtual
    > hosting is the only method we can use for setting up multiple websites on
    > our server. So being able to access them publicly by Domain from within our
    > LAN is an absolute necessity being as we have no other way to view them.
    >
    >
    >
    > Thanks,
    >
    > Larry
     
    Josh, Aug 31, 2004
    #3
  4. Larry

    Josh Guest

    I didn't realize IOS would do the DNS translation. I thought that was
    only available on the PIX. Please ignore my previous suggestion.

    (Josh) wrote in message news:<>...
    > You need to setup an internal DNS server. You are currently querying
    > an external DNS server which is returning the public address. You
    > need something that will return the address that is assigned to the
    > server.
    >
    > You can test this by putting the hostnames in the hosts file on your
    > pc.
    >
    > Josh
    >
    > "Larry" <> wrote in message news:<>...
    > > We're transitioning from a consumer router to a Cisco 1721 with two wic
    > > 1-ethernet modules each connected to a DSL line (to load balance). This will
    > > be our connection to the web for a dozen computers, 2 web-DNS servers, and a
    > > mail-SQL server.
    > >
    > >
    > >
    > > We have entered the appropriate NAT translations for the servers. The
    > > problem is we cannot access our web sites (hosted on our servers) by their
    > > Public domain name on any computer from 'inside' our own local network
    > > (private). These same hosted web sites can be accessed fine publicly from
    > > networks on the 'outside', just not from within our LAN from their public
    > > domain. Did we miss something?
    > >
    > >
    > >
    > > Here are the details of our setup:
    > >
    > > We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(8)T1 and the Cisco
    > > SDM web management software Version 1.2 with 128 mb of Total Memory and 32
    > > mb of Flash Memory.
    > >
    > >
    > >
    > > Here is our current Running-config:
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > Building configuration...
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > Current configuration : 3056 bytes
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > version 12.3
    > >
    > >
    > >
    > > no service pad
    > >
    > >
    > >
    > > service tcp-keepalives-in
    > >
    > >
    > >
    > > service tcp-keepalives-out
    > >
    > >
    > >
    > > service timestamps debug datetime msec localtime show-timezone
    > >
    > >
    > >
    > > service timestamps log datetime msec localtime show-timezone
    > >
    > >
    > >
    > > service password-encryption
    > >
    > >
    > >
    > > service sequence-numbers
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > hostname xxxxxxx
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > boot-start-marker
    > >
    > >
    > >
    > > boot-end-marker
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > security authentication failure rate 3 log
    > >
    > >
    > >
    > > security passwords min-length 6
    > >
    > >
    > >
    > > logging buffered 51200 debugging
    > >
    > >
    > >
    > > logging console critical
    > >
    > >
    > >
    > > enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/
    > >
    > >
    > >
    > > clock timezone PCTime -8
    > >
    > >
    > >
    > > clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    > >
    > >
    > >
    > > mmi polling-interval 60
    > >
    > >
    > >
    > > no mmi auto-configure
    > >
    > >
    > >
    > > no mmi pvc
    > >
    > >
    > >
    > > mmi snmp-timeout 180
    > >
    > >
    > >
    > > no aaa new-model
    > >
    > >
    > >
    > > ip subnet-zero
    > >
    > >
    > >
    > > no ip source-route
    > >
    > >
    > >
    > > ip cef
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > ip tcp synwait-time 10
    > >
    > >
    > >
    > > ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > ip dhcp pool sdm-pool1
    > >
    > >
    > >
    > > import all
    > >
    > >
    > >
    > > network 192.xxx.x.0 255.255.255.0
    > >
    > >
    > >
    > > dns-server 66.114.xxx.xxx 66.114.xxx.xxx
    > >
    > >
    > >
    > > default-router 192.xxx.x.1
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > ip ips po max-events 100
    > >
    > >
    > >
    > > no ip bootp server
    > >
    > >
    > >
    > > ip domain name xxxxxxxx.com
    > >
    > >
    > >
    > > ip name-server 207.115.xx.x
    > >
    > >
    > >
    > > ip name-server 207.115.xx.x
    > >
    > >
    > >
    > > ip ssh time-out 60
    > >
    > >
    > >
    > > ip ssh authentication-retries 2
    > >
    > >
    > >
    > > no ftp-server write-enable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > interface Ethernet0
    > >
    > >
    > >
    > > description $FW_OUTSIDE$$ETH-WAN$
    > >
    > >
    > >
    > > ip address 66.114.xxx.xxx 255.255.255.0
    > >
    > >
    > >
    > > no ip redirects
    > >
    > >
    > >
    > > no ip unreachables
    > >
    > >
    > >
    > > no ip proxy-arp
    > >
    > >
    > >
    > > ip nat outside
    > >
    > >
    > >
    > > ip virtual-reassembly
    > >
    > >
    > >
    > > ip route-cache flow
    > >
    > >
    > >
    > > half-duplex
    > >
    > >
    > >
    > > no cdp enable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > interface Ethernet1
    > >
    > >
    > >
    > > no ip address
    > >
    > >
    > >
    > > no ip redirects
    > >
    > >
    > >
    > > no ip unreachables
    > >
    > >
    > >
    > > no ip proxy-arp
    > >
    > >
    > >
    > > ip route-cache flow
    > >
    > >
    > >
    > > shutdown
    > >
    > >
    > >
    > > half-duplex
    > >
    > >
    > >
    > > no cdp enable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > interface FastEthernet0
    > >
    > >
    > >
    > > description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$
    > >
    > >
    > >
    > > ip address 192.xxx.x.1 255.255.255.0
    > >
    > >
    > >
    > > no ip redirects
    > >
    > >
    > >
    > > no ip unreachables
    > >
    > >
    > >
    > > no ip proxy-arp
    > >
    > >
    > >
    > > ip nat inside
    > >
    > >
    > >
    > > ip virtual-reassembly
    > >
    > >
    > >
    > > ip route-cache flow
    > >
    > >
    > >
    > > speed auto
    > >
    > >
    > >
    > > no cdp enable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > ip classless
    > >
    > >
    > >
    > > ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx
    > >
    > >
    > >
    > > ip http server
    > >
    > >
    > >
    > > ip http authentication local
    > >
    > >
    > >
    > > ip http secure-server
    > >
    > >
    > >
    > > ip nat inside source list 1 interface Ethernet0 overload
    > >
    > >
    > >
    > > ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20 extendable
    > >
    > >
    > >
    > > ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21 extendable
    > >
    > >
    > >
    > > ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable
    > >
    > >
    > >
    > > ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53 extendable
    > >
    > >
    > >
    > > ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80 extendable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > logging trap debugging
    > >
    > >
    > >
    > > access-list 1 remark INSIDE_IF=FastEthernet0
    > >
    > >
    > >
    > > access-list 1 remark SDM_ACL Category=2
    > >
    > >
    > >
    > > access-list 1 permit 192.xxx.x.0 0.0.0.255
    > >
    > >
    > >
    > > no cdp run
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > control-plane
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > banner login ^CAuthorized access only!
    > >
    > >
    > >
    > > Disconnect IMMEDIATELY if you are not an authorized user!^C
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > line con 0
    > >
    > >
    > >
    > > login local
    > >
    > >
    > >
    > > transport output telnet
    > >
    > >
    > >
    > > line aux 0
    > >
    > >
    > >
    > > login local
    > >
    > >
    > >
    > > transport output telnet
    > >
    > >
    > >
    > > line vty 0 4
    > >
    > >
    > >
    > > privilege level 15
    > >
    > >
    > >
    > > login local
    > >
    > >
    > >
    > > transport input telnet ssh
    > >
    > >
    > >
    > > line vty 5 15
    > >
    > >
    > >
    > > privilege level 15
    > >
    > >
    > >
    > > login local
    > >
    > >
    > >
    > > transport input telnet ssh
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > scheduler allocate 4000 1000
    > >
    > >
    > >
    > > scheduler interval 500
    > >
    > >
    > >
    > > end
    > >
    > >
    > >
    > >
    > >
    > > Any Suggestions?
    > >
    > >
    > >
    > > We are using a virtual web hosting configuration on our servers with Windows
    > > Server 2003 running IIS 6.0. Being as we only have two public IP's, virtual
    > > hosting is the only method we can use for setting up multiple websites on
    > > our server. So being able to access them publicly by Domain from within our
    > > LAN is an absolute necessity being as we have no other way to view them.
    > >
    > >
    > >
    > > Thanks,
    > >
    > > Larry
     
    Josh, Aug 31, 2004
    #4
  5. Larry

    Larry Guest

    Thanks for the input folks. Thursday is the network 'work day' so I'll apply
    your suggestions.
    Thanks!
    Larry

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:413455d6$...
    >
    > "Larry" <> wrote in message
    > news:...
    > > We're transitioning from a consumer router to a Cisco 1721 with two wic
    > > 1-ethernet modules each connected to a DSL line (to load balance). This
    > > will
    > > be our connection to the web for a dozen computers, 2 web-DNS servers,

    and
    > > a
    > > mail-SQL server.
    > >
    > >
    > >
    > > We have entered the appropriate NAT translations for the servers. The
    > > problem is we cannot access our web sites (hosted on our servers) by

    their
    > > Public domain name on any computer from 'inside' our own local network
    > > (private). These same hosted web sites can be accessed fine publicly

    from
    > > networks on the 'outside', just not from within our LAN from their

    public
    > > domain. Did we miss something?

    >
    > You need to nat the entire address instead of just the port. In which

    case
    > the dns answer will be modified to reflect the internal address (flush

    your
    > dns cache server and local pc). At this point, you must configure an

    access
    > list on your outside interfaces or you won't last long. Also, my guess is
    > you have the ip fw feature set as part of the vpn/fw bundle. If so, I

    would
    > definitely use it.
    >
    > >
    > >
    > >
    > > Here are the details of our setup:
    > >
    > > We are running IOS C1700-ADVSECURITYK9-M), Version 12.3(8)T1 and the

    Cisco
    > > SDM web management software Version 1.2 with 128 mb of Total Memory and

    32
    > > mb of Flash Memory.
    > >
    > >
    > >
    > > Here is our current Running-config:
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > Building configuration...
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > Current configuration : 3056 bytes
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > version 12.3
    > >
    > >
    > >
    > > no service pad
    > >
    > >
    > >
    > > service tcp-keepalives-in
    > >
    > >
    > >
    > > service tcp-keepalives-out
    > >
    > >
    > >
    > > service timestamps debug datetime msec localtime show-timezone
    > >
    > >
    > >
    > > service timestamps log datetime msec localtime show-timezone
    > >
    > >
    > >
    > > service password-encryption
    > >
    > >
    > >
    > > service sequence-numbers
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > hostname xxxxxxx
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > boot-start-marker
    > >
    > >
    > >
    > > boot-end-marker
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > security authentication failure rate 3 log
    > >
    > >
    > >
    > > security passwords min-length 6
    > >
    > >
    > >
    > > logging buffered 51200 debugging
    > >
    > >
    > >
    > > logging console critical
    > >
    > >
    > >
    > > enable secret 5 $1$phDk$fWTiTdvXWznAOH/QPbHbd/
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > username admin privilege 15 secret 5 $1$bBMk$tSbePpxGpTj5frVjpQQP9/
    > >
    > >
    > >
    > > clock timezone PCTime -8
    > >
    > >
    > >
    > > clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    > >
    > >
    > >
    > > mmi polling-interval 60
    > >
    > >
    > >
    > > no mmi auto-configure
    > >
    > >
    > >
    > > no mmi pvc
    > >
    > >
    > >
    > > mmi snmp-timeout 180
    > >
    > >
    > >
    > > no aaa new-model
    > >
    > >
    > >
    > > ip subnet-zero
    > >
    > >
    > >
    > > no ip source-route
    > >
    > >
    > >
    > > ip cef
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > ip tcp synwait-time 10
    > >
    > >
    > >
    > > ip dhcp excluded-address 192.xxx.x.2 192.xxx.x.99
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > ip dhcp pool sdm-pool1
    > >
    > >
    > >
    > > import all
    > >
    > >
    > >
    > > network 192.xxx.x.0 255.255.255.0
    > >
    > >
    > >
    > > dns-server 66.114.xxx.xxx 66.114.xxx.xxx
    > >
    > >
    > >
    > > default-router 192.xxx.x.1
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > ip ips po max-events 100
    > >
    > >
    > >
    > > no ip bootp server
    > >
    > >
    > >
    > > ip domain name xxxxxxxx.com
    > >
    > >
    > >
    > > ip name-server 207.115.xx.x
    > >
    > >
    > >
    > > ip name-server 207.115.xx.x
    > >
    > >
    > >
    > > ip ssh time-out 60
    > >
    > >
    > >
    > > ip ssh authentication-retries 2
    > >
    > >
    > >
    > > no ftp-server write-enable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > interface Ethernet0
    > >
    > >
    > >
    > > description $FW_OUTSIDE$$ETH-WAN$
    > >
    > >
    > >
    > > ip address 66.114.xxx.xxx 255.255.255.0
    > >
    > >
    > >
    > > no ip redirects
    > >
    > >
    > >
    > > no ip unreachables
    > >
    > >
    > >
    > > no ip proxy-arp
    > >
    > >
    > >
    > > ip nat outside
    > >
    > >
    > >
    > > ip virtual-reassembly
    > >
    > >
    > >
    > > ip route-cache flow
    > >
    > >
    > >
    > > half-duplex
    > >
    > >
    > >
    > > no cdp enable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > interface Ethernet1
    > >
    > >
    > >
    > > no ip address
    > >
    > >
    > >
    > > no ip redirects
    > >
    > >
    > >
    > > no ip unreachables
    > >
    > >
    > >
    > > no ip proxy-arp
    > >
    > >
    > >
    > > ip route-cache flow
    > >
    > >
    > >
    > > shutdown
    > >
    > >
    > >
    > > half-duplex
    > >
    > >
    > >
    > > no cdp enable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > interface FastEthernet0
    > >
    > >
    > >
    > > description $FW_INSIDE$$ETH-LAN$$INTF-INFO-10/100 Ethernet$
    > >
    > >
    > >
    > > ip address 192.xxx.x.1 255.255.255.0
    > >
    > >
    > >
    > > no ip redirects
    > >
    > >
    > >
    > > no ip unreachables
    > >
    > >
    > >
    > > no ip proxy-arp
    > >
    > >
    > >
    > > ip nat inside
    > >
    > >
    > >
    > > ip virtual-reassembly
    > >
    > >
    > >
    > > ip route-cache flow
    > >
    > >
    > >
    > > speed auto
    > >
    > >
    > >
    > > no cdp enable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > ip classless
    > >
    > >
    > >
    > > ip route 0.0.0.0 0.0.0.0 66.114.xxx.xx
    > >
    > >
    > >
    > > ip http server
    > >
    > >
    > >
    > > ip http authentication local
    > >
    > >
    > >
    > > ip http secure-server
    > >
    > >
    > >
    > > ip nat inside source list 1 interface Ethernet0 overload
    > >
    > >
    > >
    > > ip nat inside source static tcp 192.xxx.x.20 20 66.114.xxx.xxx 20
    > > extendable
    > >
    > >
    > >
    > > ip nat inside source static tcp 192.xxx.x.20 21 66.114.xxx.xxx 21
    > > extendable
    > >
    > >
    > >
    > > ip nat inside source static tcp 192.xxx.x.20 53 66.114.xxx.xxx 53
    > > extendable
    > >
    > >
    > >
    > > ip nat inside source static udp 192.xxx.x.20 53 66.114.xxx.xxx 53
    > > extendable
    > >
    > >
    > >
    > > ip nat inside source static tcp 192.xxx.x.20 80 66.114.xxx.xxx 80
    > > extendable
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > logging trap debugging
    > >
    > >
    > >
    > > access-list 1 remark INSIDE_IF=FastEthernet0
    > >
    > >
    > >
    > > access-list 1 remark SDM_ACL Category=2
    > >
    > >
    > >
    > > access-list 1 permit 192.xxx.x.0 0.0.0.255
    > >
    > >
    > >
    > > no cdp run
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > control-plane
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > banner login ^CAuthorized access only!
    > >
    > >
    > >
    > > Disconnect IMMEDIATELY if you are not an authorized user!^C
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > line con 0
    > >
    > >
    > >
    > > login local
    > >
    > >
    > >
    > > transport output telnet
    > >
    > >
    > >
    > > line aux 0
    > >
    > >
    > >
    > > login local
    > >
    > >
    > >
    > > transport output telnet
    > >
    > >
    > >
    > > line vty 0 4
    > >
    > >
    > >
    > > privilege level 15
    > >
    > >
    > >
    > > login local
    > >
    > >
    > >
    > > transport input telnet ssh
    > >
    > >
    > >
    > > line vty 5 15
    > >
    > >
    > >
    > > privilege level 15
    > >
    > >
    > >
    > > login local
    > >
    > >
    > >
    > > transport input telnet ssh
    > >
    > >
    > >
    > > !
    > >
    > >
    > >
    > > scheduler allocate 4000 1000
    > >
    > >
    > >
    > > scheduler interval 500
    > >
    > >
    > >
    > > end
    > >
    > >
    > >
    > >
    > >
    > > Any Suggestions?
    > >
    > >
    > >
    > > We are using a virtual web hosting configuration on our servers with
    > > Windows
    > > Server 2003 running IIS 6.0. Being as we only have two public IP's,
    > > virtual
    > > hosting is the only method we can use for setting up multiple websites

    on
    > > our server. So being able to access them publicly by Domain from within
    > > our
    > > LAN is an absolute necessity being as we have no other way to view them.
    > >
    > >
    > >
    > > Thanks,
    > >
    > > Larry
    > >
    > >

    >
    >
     
    Larry, Sep 1, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Said SIM

    Reset cisco router 1721

    Said SIM, Apr 29, 2004, in forum: Cisco
    Replies:
    1
    Views:
    2,205
    Phillip Remaker
    May 1, 2004
  2. Paul
    Replies:
    1
    Views:
    2,264
  3. dr_rockstar66
    Replies:
    2
    Views:
    6,568
    Hansang Bae
    Feb 5, 2005
  4. Scooter
    Replies:
    1
    Views:
    925
    BradReeseCom
    Feb 25, 2005
  5. Jac Backus
    Replies:
    0
    Views:
    4,501
    Jac Backus
    May 2, 2005
Loading...

Share This Page