Link to home
Start Free TrialLog in
Avatar of andersenks
andersenksFlag for United States of America

asked on

Cannot access public IP from internal network

Client wants to use the public IP assigned to a SQL DB so they don't have to change it when their sales staff goes on and off site. I recommended working around this by using DNS but they are out of host records from their DNS provider.

I'm able to ping the public IP from the internal network. But using a browser it times out. Using the internal IP it works fine. Internal IP is 172.16.5.25 public IP is 66.x.x.27.

ip nat inside source static tcp 172.16.5.25 80 66.x.x.27 80 extendable
interface GigabitEthernet0/0
 description DATA network
 ip address 172.16.5.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description PHONE network
 ip address 172.16.10.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/1/0
 no ip address
 encapsulation frame-relay IETF
 no ip mroute-cache
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/1/0.1 point-to-point
 no ip mroute-cache
 frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-PPP1
 no ip address
!
interface Virtual-Template1
 description T1 outside
 ip address 66.x.x.26 255.255.255.248
 ip access-group 103 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect TELNET in
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 ppp chap hostname xxx
 ppp chap password 7 xxx
 crypto map VPN
!
interface Virtual-TokenRing1
 no ip address
 ring-speed 16
!
ip local pool vpnpool 172.16.40.100 172.16.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.x.x.25
!
ip dns server
ip flow-export version 5
ip flow-export destination 172.16.5.4 9996
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Virtual-Template1 overload
ip nat inside source static tcp 172.16.5.1 23 66.x.x.26 23 extendable
ip nat inside source static tcp 172.16.5.80 80 66.x.x.26 80 extendable
ip nat inside source static tcp 172.16.5.80 9090 66.x.x.26 9090 extendable
ip nat inside source static tcp 172.16.5.80 9192 66.x.x.26 9192 extendable
ip nat inside source static tcp 172.16.5.25 80 66.x.x.27 80 extendable
ip nat inside source static tcp 172.16.5.81 80 66.x.x.28 80 extendable
ip nat inside source static tcp 172.16.5.81 9090 66.x.x.28 9090 extendable
ip nat inside source static tcp 172.16.5.81 9192 66.x.x.28 9192 extendable
ip nat inside source static tcp 172.16.5.5 80 66.x.x.29 80 extendable
ip nat inside source static tcp 172.16.5.82 80 66.x.x.30 80 extendable
ip nat inside source static tcp 172.16.5.82 9090 66.x.x.30 9090 extendable
ip nat inside source static tcp 172.16.5.82 9192 66.x.x.30 9192 extendable
!
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny   ip 172.16.10.0 0.0.0.255 any
access-list 101 deny   ip 66.x.x.24 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny   ip 172.16.5.0 0.0.0.255 any
access-list 102 deny   ip 66.x.x.24 0.0.0.7 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.x.x.171 host 66.x.x.26
access-list 103 permit esp host 208.x.x.171 host 66.x.x.26
access-list 103 permit udp host 208.x.x.171 host 66.x.x.26 eq isakmp
access-list 103 permit udp host 208.x.x.171 host 66.x.x.26 eq non500-isakmp
access-list 103 permit ip 172.16.5.0 0.0.0.255 66.167.224.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 103 deny   ip 172.16.5.0 0.0.0.255 any
access-list 103 deny   ip 172.16.10.0 0.0.0.255 any
access-list 103 permit icmp any host 66.x.x.26 echo-reply
access-list 103 permit icmp any host 66.x.x.26 time-exceeded
access-list 103 permit icmp any host 66.x.x.26 unreachable
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit tcp any any eq 4445
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq 5004
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 110 remark Tunnel 
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 remark VPN clients
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.255
access-list 199 permit ip any any
!
route-map nonat permit 10
 match ip address 199

Open in new window

SOLUTION
Avatar of Bryon H
Bryon H
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of andersenks
andersenks
Flag of United States of America image

ASKER

The other problem is the DNS provider also hosts their e-mail. They aren't ready to migrate their e-mail off to another provider yet. Anyone know of a way to get this to work?
Avatar of Bryon H
Bryon H
Flag of United States of America image
is there no public hostnames pointing to the machine the sql database is on?  none at all?
Avatar of Bryon H
Bryon H
Flag of United States of America image
you could host your dns records at any $5 host, and keep your mail on the current host... just set up your new host records MX and A (and www, etc) to point to the same ip addresses they do right now - there's no technical reason to have the dns host and the mail host the same company.
Avatar of JeffSchaper
JeffSchaper
Flag of Australia image
what about using the hosts file on the workstations. C:/windows/system32/drivers/etc/hosts
xxx.xxx.xxx.xxx hostname
add both entries here
Avatar of andersenks
andersenks
Flag of United States of America image

ASKER

I talked them into deleteing one of their DNS entries from their hosting provider and configured internal and extenal names to match.

Thanks guys
Avatar of andersenks
andersenks
Flag of United States of America image

ASKER

Thanks guys!