andersenks
asked on
Cannot access public IP from internal network
Client wants to use the public IP assigned to a SQL DB so they don't have to change it when their sales staff goes on and off site. I recommended working around this by using DNS but they are out of host records from their DNS provider.
I'm able to ping the public IP from the internal network. But using a browser it times out. Using the internal IP it works fine. Internal IP is 172.16.5.25 public IP is 66.x.x.27.
ip nat inside source static tcp 172.16.5.25 80 66.x.x.27 80 extendable
I'm able to ping the public IP from the internal network. But using a browser it times out. Using the internal IP it works fine. Internal IP is 172.16.5.25 public IP is 66.x.x.27.
ip nat inside source static tcp 172.16.5.25 80 66.x.x.27 80 extendable
interface GigabitEthernet0/0
description DATA network
ip address 172.16.5.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description PHONE network
ip address 172.16.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/1/0.1 point-to-point
no ip mroute-cache
frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-PPP1
no ip address
!
interface Virtual-Template1
description T1 outside
ip address 66.x.x.26 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
ip nat outside
ip inspect TELNET in
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
ppp chap hostname xxx
ppp chap password 7 xxx
crypto map VPN
!
interface Virtual-TokenRing1
no ip address
ring-speed 16
!
ip local pool vpnpool 172.16.40.100 172.16.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.x.x.25
!
ip dns server
ip flow-export version 5
ip flow-export destination 172.16.5.4 9996
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Virtual-Template1 overload
ip nat inside source static tcp 172.16.5.1 23 66.x.x.26 23 extendable
ip nat inside source static tcp 172.16.5.80 80 66.x.x.26 80 extendable
ip nat inside source static tcp 172.16.5.80 9090 66.x.x.26 9090 extendable
ip nat inside source static tcp 172.16.5.80 9192 66.x.x.26 9192 extendable
ip nat inside source static tcp 172.16.5.25 80 66.x.x.27 80 extendable
ip nat inside source static tcp 172.16.5.81 80 66.x.x.28 80 extendable
ip nat inside source static tcp 172.16.5.81 9090 66.x.x.28 9090 extendable
ip nat inside source static tcp 172.16.5.81 9192 66.x.x.28 9192 extendable
ip nat inside source static tcp 172.16.5.5 80 66.x.x.29 80 extendable
ip nat inside source static tcp 172.16.5.82 80 66.x.x.30 80 extendable
ip nat inside source static tcp 172.16.5.82 9090 66.x.x.30 9090 extendable
ip nat inside source static tcp 172.16.5.82 9192 66.x.x.30 9192 extendable
!
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny ip 172.16.10.0 0.0.0.255 any
access-list 101 deny ip 66.x.x.24 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny ip 172.16.5.0 0.0.0.255 any
access-list 102 deny ip 66.x.x.24 0.0.0.7 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.x.x.171 host 66.x.x.26
access-list 103 permit esp host 208.x.x.171 host 66.x.x.26
access-list 103 permit udp host 208.x.x.171 host 66.x.x.26 eq isakmp
access-list 103 permit udp host 208.x.x.171 host 66.x.x.26 eq non500-isakmp
access-list 103 permit ip 172.16.5.0 0.0.0.255 66.167.224.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 103 deny ip 172.16.5.0 0.0.0.255 any
access-list 103 deny ip 172.16.10.0 0.0.0.255 any
access-list 103 permit icmp any host 66.x.x.26 echo-reply
access-list 103 permit icmp any host 66.x.x.26 time-exceeded
access-list 103 permit icmp any host 66.x.x.26 unreachable
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit tcp any any eq 4445
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq 5004
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 110 remark Tunnel
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 remark VPN clients
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 deny ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.255
access-list 199 permit ip any any
!
route-map nonat permit 10
match ip address 199
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
is there no public hostnames pointing to the machine the sql database is on? none at all?
you could host your dns records at any $5 host, and keep your mail on the current host... just set up your new host records MX and A (and www, etc) to point to the same ip addresses they do right now - there's no technical reason to have the dns host and the mail host the same company.
what about using the hosts file on the workstations. C:/windows/system32/driver s/etc/host s
xxx.xxx.xxx.xxx hostname
add both entries here
xxx.xxx.xxx.xxx hostname
add both entries here
ASKER
I talked them into deleteing one of their DNS entries from their hosting provider and configured internal and extenal names to match.
Thanks guys
Thanks guys
ASKER
Thanks guys!
ASKER