Solved

Cisco Cant browse My static Ips from my LAN

Posted on 2009-04-08
3
332 Views
Last Modified: 2012-05-06
Trying to figure out a way to browse my Static ips from my lan like ya.mitelxxxx.com
resolves to the 65.xx.xx.234 address but i cant browse them i can PING them but cant i didnt know if i cant

its being natted like ip nat inside source static 192.168.14.24 65.xx.xx.234

but i want our machines in the LAN setting to get to ya.mitelxxxx.com which resolves to 65.xx.xx.234 but we cant browse them


but im not sure if its blocked in a ACL i tried going to each ACL and doing a permit Ip any any but ehe no luck


THnaks
















AmtecLV1841#sh run
Building configuration...
Current configuration : 16691 bytes
!
! Last configuration change at 12:34:55 PST Fri Mar 13 2009 by johnny
! NVRAM config last updated at 12:14:48 PST Thu Mar 12 2009 by johnny
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname AmtecLV1841
!
boot-start-marker
boot system flash
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 5
logging buffered 51200 debugging
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login User_Database local
aaa authorization network MGMT local
!
aaa session-id common
clock timezone PST -8
no ip source-route
ip cef
!
!
ip inspect name Firewall cuseeme
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
ip inspect name Firewall icmp
ip inspect name Firewall esmtp
ip inspect name Firewall sip
ip inspect name Firewall sip-tls
ip tcp path-mtu-discovery
ip telnet source-interface FastEthernet0/1
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 65.106.1.196
ip name-server 65.106.7.196
!
!
crypto pki trustpoint TP-self-signed-39676
enrollment selfsiged
subject-name cn=IO-Self-Signed-Certific!
!
class-map match-any IP_Node
match access-group 104
!
!
policy-map VoIP_Priority
class IP_Node
 set ip dscp ef
 priority 256
class class-default
 fair-queue
 random-detect
policy-map QoS
class class-default
 shape average 500000 5000 0
 service-policy VoIP_Priority
!
!
crypto keyring 1
  pre-shared-key address 71.xx.xxx.241 key amfasdf
crypto keyring 2
  pre-shared-key address 0.0.0.0 0.0.0.0 key wivzvzx0
!crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp client configuration group MGMT
key asdfasdfa
dns 192.168.11.1 64.xx.xx.17
wins 192.168.11.1
domain amtec.local
pool VPN_IPs
acl 105
max-users 3
max-logins 3
netmask 255.255.255.0
crypto isakmp profile 1
  description Tunnel to San Bernardino
  keyring 1
  match identity address 71.xx.xx.241 255.255.255.255
crypto isakmp profile 2
  description VPN Client profile
  match identity group asdf
  client authentication list User_Database
  isakmp authorization list asdf
  client configuration address respond
crypto isakmp profile 3
  description Tunnel to internet
  keyring 2
  match identity address 0.0.0.0
!
!
crypto ipsec transform-set Transform_Set_1 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map Site-to-Site 3
set transform-set Transform_Set_1
 set isakmp-profile 3
!
crypto dynamic-map VPN_Client 2
set security-association idle-time 1800
set transform-set Transform_Set_1
 set isakmp-profile 2
reverse-route
!
!
crypto map VPN_Tunnel 1 ipsec-isakmp
 description Tunnel to San Bernardino
set peer 71.xx.xx.241
set transform-set Transform_Set_1
 set isakmp-profile 1
match address 100
qos pre-classify
crypto map VPN_Tunnel 2 ipsec-isakmp dynamic VPN_Client
crypto map VPN_Tunnel 3 ipsec-isakmp dynamic Site-to-Site
!
bridge irb
!
!
interface Loopback0
description Virtual NAT Interface
ip address 1.1.1.1 255.255.255.252
!
interface Loopback2
ip address 2.2.2.2 255.255.255.255
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Connected to TelePacific Internet$FW_OUTSIDE$
ip address 65.xx.xx.226 255.255.255.240
ip access-group 103 in
no ip redirects
no ip unreachables
ip directed-broadcast
ip inspect Firewall out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map VPN_Tunnel
crypto ipsec fragmentation before-encryption
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.11.254 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip policy route-map NAT_Filter
duplex auto
speed auto
!
interface FastEthernet0/1.1
no cdp enable
!
interface FastEthernet0/1/0
switchport access vlan 10
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
ip address 64.xx.xx.10 255.255.255.252
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
service-module t1 timeslots 1-24
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 65.xx.xx.46 255.255.255.128
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip directed-broadcast
ip nat outside
ip virtual-reassembly
crypto map VPN_Tunnel
crypto ipsec fragmentation before-encryption
!
interface BVI1
no ip address
!
ip local pool VPN_IPs 192.168.255.1 192.168.255.10
ip forward-protocol udp netbios-ss
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10
ip route 0.0.0.0 0.0.0.0 65.xx.xx.1
ip route 192.168.14.0 255.255.255.0 192.168.11.2
!        
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map Ethernet interface Vlan10 overload
ip nat inside source route-map Nat interface FastEthernet0/0 overload
ip nat inside source route-map T1 interface Serial0/0/0 overload
ip nat inside source static tcp 192.168.11.1 25 65.xx.xx.46 25 extendable
ip nat inside source static tcp 192.168.11.1 80 65.xx.xx.46 80 extendable
ip nat inside source static tcp 192.168.11.1 443 65.xx.xx.46 443 extendable
ip nat inside source static tcp 192.168.11.1 3389 65.xx.xx.46 3389 extendable
ip nat inside source static tcp 192.168.11.1 4125 65.xx.xx.46 4125 extendable
ip nat inside source static tcp 192.168.11.1 25 65.xx.xx.230 25 extendable
ip nat inside source static tcp 192.168.11.1 80 65.xx.xx.230 80 extendable
ip nat inside source static tcp 192.168.11.1 443 65.xx.xx.230 443 extendable
ip nat inside source static tcp 192.168.11.1 3389 65.xx.xx.230 3389 extendable
ip nat inside source static 192.168.14.27 65.xx.xx.231
ip nat inside source static 192.168.14.2 65.xx.xx.232
ip nat inside source static tcp 192.168.14.24 80 65.xx.xx.234 80 extendable
ip nat inside source static tcp 192.168.14.24 37000 65.xx.xx.234 37000 extendable
ip nat inside source static tcp 192.168.11.1 3389 65.xx.xx.238 3389 extendable
ip nat outside source static 192.168.11.1 65.xx.xx.230
ip nat outside source static 192.168.14.2 65.xx.xx.232
ip nat outside source static 192.168.14.24 65.xx.xx.234
ip nat outside source static 192.168.14.27 65.xx.xx.231
!
ip access-list extended XoStatics
permit ip 65.xx.xx.224 0.0.0.15 any
!
access-list 100 permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.255.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.14.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 101 permit ip any any
access-list 101 deny   ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny   ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny   ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny   ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny   ip 192.168.11.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 101 deny   ip 192.168.14.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny   ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny   ip 192.168.14.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 101 deny   ip 192.168.255.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.11.0 0.0.0.255 any
access-list 101 permit ip 192.168.14.0 0.0.0.255 any
access-list 102 permit ip any host 192.168.14.28
access-list 102 permit ip host 192.168.14.28 any
access-list 102 deny   ip 65.xx.xx.0 0.0.0.15 any
access-list 102 permit ip 192.168.14.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip host 192.168.11.28 192.168.254.0 0.0.0.255
access-list 102 permit ip any host 192.168.14.27
access-list 102 permit ip host 192.168.14.27 any
access-list 102 permit tcp any any eq 5060
access-list 102 permit ip host 209.203.104.37 host 192.168.14.2
access-list 102 permit ip host 192.168.14.2 192.168.254.0 0.0.0.255
access-list 102 permit ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny   ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny   icmp any 192.168.254.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip 192.168.14.0 0.0.0.255 any
access-list 103 permit ip host 0.0.0.0 any
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 103 permit ahp any host 65.xx.xx.226
access-list 103 permit esp any host 65.xx.xx.226
access-list 103 permit udp any host 65.xx.xx.226 eq 5060
access-list 103 permit ip host 192.168.14.27 any
access-list 103 permit ip any host 192.168.14.27
access-list 103 permit udp any host 65.xx.xx.226 eq isakmp
access-list 103 permit udp any host 65.xx.xx.226 eq non500-isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 permit tcp any any eq 1723
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 permit ip 192.168.254.0 0.0.0.255 host 192.168.11.28
access-list 103 permit ip 192.168.254.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 deny   ip 192.168.254.0 0.0.0.255 any
access-list 103 permit ip 192.168.255.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.255.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.255.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 deny   icmp 192.168.254.0 0.0.0.255 any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any timestamp-reply
access-list 103 permit icmp any any traceroute
access-list 103 permit icmp any any unreachable
access-list 103 permit udp any any eq ntp
access-list 103 permit tcp any host 65.xx.xx.226 eq 161
access-list 103 permit tcp any host 65.xx.xx.226 eq 162
access-list 103 permit udp any host 65.xx.xx.226 eq snmp
access-list 103 permit udp any host 65.xx.xx.226 eq snmptrap
access-list 103 permit tcp any host 65.xx.xx.226 eq smtp
access-list 103 permit tcp any host 65.xx.xx.226 eq www
access-list 103 permit tcp any host 65.xx.xx.226 eq 443
access-list 103 permit tcp any host 65.xx.xx.226 eq 3389
access-list 103 permit tcp any host 65.xx.xx.226 eq 4125
access-list 103 permit tcp any host 65.xx.xx.226 eq 37000
access-list 103 permit tcp any host 65.xx.xx.226 eq ftp
access-list 103 permit tcp any host 65.xx.xx.226 eq ftp-data
access-list 103 deny   ip 192.168.11.0 0.0.0.255 any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 103 permit udp any any eq 5060
access-list 103 permit tcp any any eq 5060
access-list 104 permit ip host 192.168.14.2 any
access-list 104 permit ip any host 192.168.14.2
access-list 104 permit ip 192.168.14.0 0.0.0.255 0.0.0.0 255.255.255.0
access-list 104 remark IP Nodes / Phones
access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 105 permit ip 192.168.11.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 105 permit ip 192.168.14.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 105 permit ip 192.168.255.0 0.0.0.255 any
access-list 105 remark VPN Split Tunnel Rules
access-list 106 permit ip host 192.168.11.1 192.168.3.0 0.0.0.255
access-list 106 permit ip host 192.168.11.1 192.168.10.0 0.0.0.255
access-list 106 permit ip host 192.168.11.1 192.168.255.0 0.0.0.255
access-list 106 remark Route Map Rules
access-list 150 permit ip host 192.168.11.1 any
access-list 199 permit ip any host 65.xx.xx.228
access-list 199 permit ip any any
no cdp run
route-map XoRoutemap permit 10
match ip address XoStatics
!
route-map NAT_Filter permit 1
match ip address 106
set ip next-hop 1.1.1.2
!
route-map NAT_Filter permit 20
match ip address 150
set ip next-hop 64.xx.xx.9
!
route-map Ethernet permit 10
match ip address 101
match interface Vlan10
!
!
route-map Nat permit 1
match ip address 101
!
route-map T1 permit 10
match ip address 101
match interface Serial0/0/0
!
!
!
control-plane
!
bridge 1 protocol ieee
banner motd ^CC
*********************************************************************************
*                                                                               *
* This is a private computer system.                                            *
* Unauthorized Access is prohibited. All Access is logged.                      *
* Any unauthorized access will be prosecuted to the fullest extent of the law.  *
*                                                                               *
*********************************************************************************
^C
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server 204.12.0021
end

0
Comment
Question by:ritztech
  • 2
3 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24115315
It's not an ACL issue, its a NAT issue.

You either use NAT Virtual Interface (NVI) on the router which removes the inside/outside NAT domains and the router NAT's the traffic regardless of which interface it receives the traffic on.

or:

If you have internal DNS servers, create a zone for mitelxxxx.com and create an A record for ya but have it resolve to the internal IP (192.168.14.24).

You can also touch every PC and add a hosts file entry for ya.mitelxxxx.com and have it resolve to 192.168.14.24.
0
 

Author Comment

by:ritztech
ID: 24115906
ODD thing is when i do a

no ip nat inside source static 192.168.14.24 65.xx.xx.234

AND I have my DNS SERVER set to 4.2.2.2 on my PC

it doesnt work when i ping ya.mitelxxxx.com

But if i add it back in Instead of replying on 192.168.14.24 it gives me the reply on 65.xx.xx.234

and if i have that nat statement in for like 10 min it works

AND my DNS server is 4.2.2.2 not 192.168.11.1 ....



how do you think i should go about should i even look at the router

thanks
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24115975
That's strange.

Best way to do this is to use your internal DNS server for the client and create the mitelxxxx.com zone with the "ya" record pointing to the 192.168.14.24 IP.  This keeps traffic on the local LAN instead of traversing the router (if doing NVI).  The 192.168.11.1 DNS server simply needs forwarders to 4.2.2.2 or to use root hints which I believe is the default.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now