?
Solved

Cisco 3640 configuration issue

Posted on 2007-08-10
10
Medium Priority
?
414 Views
Last Modified: 2013-11-05
I am trying to configure a cisco 3640 to allow users within our network to access the global ip of machines within the same network. Currently the router works okay for all incoming external traffic seeking the webserver and serves up those sites fine.

Users on the inside of the network can access the domain via the web server okay (for example www.xyz.com) and it displays the proper page in their bowser. They can also bring up the page by typing in the internal ip address of the webserver. However when I try to bring up the page by typing in the global ip of the webserver from within the network - no page is displayed.

I can ping the global IP internally, but that's about it! no telnet, http, ftp access is permitted.

See my router config below (For this question I've used a local ip of the webserver as 172.9.1.102 and its global ip as 202.25.224.19) . Can anyone help me out?

ROUTER config
Using 2282 out of 129016 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TESTBOX
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
enable secret xxxx
enable password xxxxx
!
ip subnet-zero
!
no ip finger
no ip domain-lookup
ip name-server 172.9.1.1
!
no ip dhcp-client network-discovery
mls rp ip route-map
partition flash 2 8 8
!
interface FastEthernet0/0
 ip address 172.9.1.1 255.255.255.0
 ip directed-broadcast
 ip accounting output-packets
 ip nat inside
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/1
 ip address 202.25.224.194 255.255.255.248
 ip directed-broadcast
 ip accounting output-packets
 ip nat outside
 speed auto
 full-duplex
no cdp enable
!
router eigrp 100
 network 172.9.0.0
 auto-summary
 no eigrp log-neighbor-changes
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static 202.25.224.19 172.9.1.102 extendable
 ip nat inside source static 172.9.1.102 202.25.224.19

ip classless
ip route 0.0.0.0 0.0.0.0 202.25.224.193
ip http server
!
access-list 1 permit 172.9.1.0 0.0.0.255
no cdp run
snmp-server community public RO
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxxx
 login
!
end
0
Comment
Question by:onthebrink
  • 5
  • 4
10 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19675027
>>ip nat inside source static 202.25.224.19 172.9.1.102 extendable
>> ip nat inside source static 172.9.1.102 202.25.224.19

Why is this mentioned twice ? You only need to do it once;


ip nat inside source static 172.9.1.102 202.25.224.19

Cheers,
Rajesh

0
 

Author Comment

by:onthebrink
ID: 19675144
Thanks Rajesh

ok. I have removed >>ip nat inside source static 202.25.224.19 172.9.1.102 extendable, and can still ping the global ip from inside the network. But am unable to telnet on port 80 / view http://202.25.224.19 from inside. For the record I can access http://202.25.224.19 from outside the network.

What should I do to enable inside access to the global ip?

Regards,

Simon

0
 

Author Comment

by:onthebrink
ID: 19675376
Pls note: I am running a piece of software internally that is trying to connect to the server Global IP address, and I can't change it - this is my dilemma.

I've been digging around looking for a PIX 'alias' equivalent for the Cisco Router? From the cisco site, I gather this could be IP NAT DESTINATION but I am having difficulties having the latter of the two following lines accepted:

IP NAT POOL whatever 202.25.224.19 202.25.224.24 255.255.255.240
IP NAT INSIDE DESTINATION LIST 1 POOL whatever STATIC 202.25.224.19 172.9.1.102

But when I try to enter the second line, i get as far as completing the pool name and the rest is not accepted by the router. Am I on the right track?

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 32

Expert Comment

by:rsivanandan
ID: 19675857
hold on, before we try anything else, I want you to do something else;

Open up a browser and launch http://202.25.224.19.

Tell me what you get ?

A Timeout ? or what else ?

Are these real ip addresses ? Because if I try it, I get a timeout from where I am.

Cheers,
Rajesh


0
 

Author Comment

by:onthebrink
ID: 19676858
Hi Rajesh

http://globalip
inside the netork: 'Page Cannot be displayed'
outside: Page appears okay.

The address above is not our real address.

Thanks,

Simon
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 1500 total points
ID: 19678185
Okay, Cisco's implementation of nat doesn't support hairpinning of traffic, but DNS doctoring is supported. This is a known thing.

But what I'm confused about is, how is that you're able to 'ping' the global ip address from inside. That also should'nt have worked.

So in PIX, by default this is not enabled and so per static you need to enable it, either by 'dns' keyword (http://www.rsivanandan.com/?p=20). But in a router, this is enabled the moment you enable the static statement. So when the traffic for dns query goes out, the router swaps it and gives the internal ip address and that is why you will be able to access it by domain name.

Can't the software reach this by 'domain name' ?

If there is time, you could run ethereal and try to capture the traffic while you are pinging and also accessing via browser to see what exactly is happening. I can't try out myself here since I don't have any equipment (I work for a Cisco competitor now :-( )

Cheers,
Rajesh
0
 

Author Comment

by:onthebrink
ID: 19678232
After I cleared nats and arp the ping stopped working, then when I added the reverse of:
ip nat inside source static 172.9.1.102 202.25.224.19
with an extra line:
ip nat inside source static 202.25.224.19 172.9.1.102
Then pings to the global ip from within the network started to work again. But ping is all I can do.

I'll now wait until the replacement gear arrives next week.... we're migrating from Cisco with D-Link routers, firewalls and switches:

It (the cisco 3640) was working fine until I started mucking around with the config, and didn't keep a backup.. doh! Anyway lesson learned. Thanks for your time in any case. Much appreciated.

Simon
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19678239
Ah the pings were working when you had the inverse mapping on! Okay so that clears up. Anyways thnx for the points.

Cheers,
Rajesh
0
 
LVL 5

Expert Comment

by:ein_mann_betrieb
ID: 19723614
Eh, I know its late in the game here... but since the answer is not exactly what was asked for, here is a thought...

What about using a loopback interface with a route map that is controlled through an acl?

I would have to think about the syntax, and I am not even sure it would work... but its and idea that might solve your problem...

-Cheers, Peter.
0
 

Author Comment

by:onthebrink
ID: 19724088
Thanks for the suggestion Peter. However replacement gear has arrived and was deployed -internal access to nat-ed global ips now working (and we've tossed out the 3640!!).
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question