We help IT Professionals succeed at work.

Cisco Catalyst 2950

we want to open up a connection to the inside and outside world, my ISP has done this
"I have setup a reverse proxy on our revproxies listening on nnn.nnn.nnn.nn and nnn.nnn.nnn.nn  listening on the http port (80).
I have setup DNS entries for the two domains webmail.au and contracts.au pointing to both of these addresses.
These proxies forward the traffic to nnn.nnn.nnn.nn  port 81. (his lotus domino server)
 
The client will need to do the redirects to the nsf files himself based on the names passed.
 
I have tried to test the connection from the proxy servers to the client server.
 
tests failed.
 
The client will need to ensure he allows access to his server nnn.nnn.nnn.nn from the our proxy servers nnn.nnn.nnn.nn  and nnn.nnn.nnn.nn ."

i will write down the show run, for the switch.......
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname q10
!

!
clock timezone UTC 10
ip subnet-zero
!
cluster enable q10
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 description CITEC ADSL Router
 switchport mode access
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/2
 description CITEC to QAO-FW1-Primary (mgmt)
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 description CITEC to QAO-FW1-Secondary (mgmt)
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 description SOUL ADSL Router
 switchport access vlan 102
 switchport mode access
 speed 100
 duplex full
 spanning-tree portfast
 spanning-tree bpdufilter enable
!
interface FastEthernet0/5
 description SOUL to QAO-FW1-Primary (e0/0)
 switchport access vlan 102
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/6
 description SOUL to QAO-FW1-Secondary (e0/0)
 switchport access vlan 102
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 description AMQLD Server
 switchport access vlan 103
 switchport mode access
 spanning-tree portfast

!
interface FastEthernet0/8
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/10
 description Magellan Server
 switchport access vlan 104
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/11
 description WEB01
 switchport access vlan 104
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/12
 description Connection to QAO_ASA_10_Primary (e0/2) (CITEC)
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/13
 description Connection to QAO_ASA_10_Secondary (e0/2) (CITEC)
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/14
 description Germes Monitoring
 switchport access vlan 106
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/15
 description Connection to QAO-FW1-Primary (e0/2)
 switchport mode trunk
!
interface FastEthernet0/16
 description Connection to QAO-FW1-Secondary (e0/2)
 switchport mode trunk
!
interface FastEthernet0/17
 switchport mode access
 spanning-tree portfast
 --More—

interface FastEthernet0/18
 description Lotus Cluster Network
 switchport access vlan 106
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/19
 description Lotus Cluster Network
 switchport access vlan 106
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/20
 description Lotus Cluster Network
 switchport access vlan 106
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/21
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/22
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/23
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/24
 description Telstra GWIP Connection
 switchport access vlan 105
 switchport mode access
 speed 100
 duplex full
 spanning-tree bpdufilter enable
!
interface GigabitEthernet0/1
 description Connection to QAO-ASA-10-Primary (e0/0)
 switchport access vlan 105
 switchport mode access
!
interface GigabitEthernet0/2
 description Connection to QAO-ASA-10-Secondary (e0/0)
 switchport access vlan 105
 --More—
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan106
 ip address nnn.nnn.nnn.nn
 no ip route-cache
!
ip http server
!
ip access-list extended CMP-NAT-ACL
 dynamic Cluster-HSRP deny   ip any any
 dynamic Cluster-NAT permit ip any any
access-list 60 permit nnn.nn.n.n
snmp-server community q
snmp-server community qa
!
line con 0
line vty 0 4
 
 login
line vty 5 15
 
 login
!
ntp clock-period 1
ntp server nnn.nnn.n.n
!
end

kindly let me know if i have to do any firewall configuration, or should i add the IP addresses to the VLAN 104....
one of the server NIC is already connected to this switch on port 11 (i.e. VLAN 104), so should i add one more interface and VLAN port?
Comment
Watch Question

Commented:
hi!
Cisco 2950 is L2 switch and it can't route traffic between subnets (so IP address in vlan104 on the will not do any good to your problem).
you are talking about some services (proxy, lotus etc) which are not part of L2 switch.
what kind of help do you want to get here?

Commented:
The Catalyst 2950 is a layer 2 switch, and will not route traffic. If you add an IP to VLAN 104 it will just become a management IP (and remove the old one).

The ISP reverse proxy servers and the Domino server are all on public IP, so I believe we can assume that routing is OK.

Most likely what you need to do is manage firewall configurations.

Ports 1, 2 and 3 seems to be in VLAN 1 and that is probably on the public internet. Ports 2 and 3 seems to be firewalls - and should than be their public interfaces. These firewalls probably have other interfaces in VLAN 104, where the Domino server is located - although that is not clear from the switch config.

Effectively, the firewalls needs rules that allow incoming port 81 from the two servers of the ISP.

Still, you need a clear picture of the network first...

Author

Commented:
what kind of configuration i have to add on the firewall router....

Author

Commented:
the configuration which the ISP has done, i dont really understand what he has done, and what i have to do?

Commented:
First of all, I would not really change anything without having a clear network diagram - pen and paper is fine... Do some trace route to and from server as a start of drawing up the diagram.

The firewall needs a rule that allow incoming TCP on port 81 with from IPs as the two servers of the ISP and to IP as the Domino server.

Author

Commented:
would it be possible i can send you my running config by email.....because i dont want to post all the IP's here...

Author

Commented:
please send me an email at rush754@hotmail.com.....and i can send you the running config...

Commented:
Sent you my email...

Author

Commented:
thanks, i have replied back...

Author

Commented:
i have send couple of messages...waiting for the reply...

Author

Commented:
@from exp: we want to open up our firewall for webmail, so i guess i have to set up NAT and access list....

Commented:
ok, do that

Author

Commented:
but what NAT rule should i put in, and What access list should i put in...

Author

Commented:
do i have to do something like this?

static (intf_dmz,intf_citec) nnn.nnn.nnn.nn  dmz_host_web01 netmask 255.255.255.255
access-list CITEC-IN extended permit tcp host nnn.nnn.nnn.nn  host nnn.nnn.nnn.nn  eq 81
 access-list CITEC-IN extended permit tcp host nnn.nnn.nnn.nn host nnn.nnn.nnn.nn  eq 81
 
is there any syntax error...

Author

Commented:
i tried to input the Nat rule, but its giving an error,
""ERROR: duplicate of existing static
  intf_dmz:dmz_host_web01 to intf_citec:nnn.nnn.nnn.nn 5 netmask 255.255.255.255"
although the nat rule is on .16
am i missing something....
Commented:
You best option here is to use .15 also for the webmail.

Ask you ISP to change it on their reverse proxies.
Change what ever DNS record you have set up for webmail.
Use .15 also in the access-list configuration lines.

Author

Commented:

for static route there is an entry...

static (intf_dmz,intf_citec) nnn.nnn.nnn.nn  dmz_host_web01 netmask 255.255.255.255
and for access list there are enteries for this....
access-list CITEC-IN extended permit tcp any host nnn.nnn.nnn.nn  eq www
access-list CITEC-IN extended permit tcp any host nnn.nnn.nnn.nn  eq https
my guess was they are already being used for something else, thats why they provide us .16

Commented:
The webserver software on the server should tell you if anything is configured on the IP.

If there is a problem running two websites on the IP, you need to set up a second IP (.16) on the same server.

In general though, if you have configured the webmail software to run (assume that is a Lotus Notes issue) then it should be fine.

Author

Commented:
thats what the ISP has done, they have given us a new IP which is .16, and i tried to add the IP on the router but it didnt accepted it....
and Lotus webmail is going to run on that IP address.....

Commented:
You have 15 NATed to one private IP. Ideally, you should be able run two web sites on that. If this is not possible, due to the reverse proxy or due to the webserver - then we need a new IP.

If we do need a new IP, your will use a new public IP (.16) and a new private IP on the server. You may map that private IP to a new name, like dmz_host_web01_b. Still, you also need to add the IP to the NIC (interface) and also have the webserver put the webmail site on that IP.

I suggest you put a PC on the same LAN as the server and try your websites from there - both the webmail and what ever other site there is. Still, this is not really a networking issue, but more a webserver issue now...

Author

Commented:

Well I guess to host webmails I don’t think I need to add that interface .16 to NIC, the ISP has already done the required changes…in his email he mentioned that “ he has setup DNS entries for the two domains webmail.au and contracts.au, and the proxies forward the traffic to .16 (lotus domino server)”
If the DNS records exist on the server and pointing to the right IP, I don’t think I need to put a PC, the reason why I am saying that is because my ISP has suggested that as well, and all its needs to be done, is to allow .16 on proxy server nnn.nnn.nnn.nn  and nnn.nnn.nnn.nn .
Now I have entered the access list but it didn’t worked out, so something more needs to be done on the firewall….
Commented:
Your ACL allows port 81 to go via .16, but you do not have NAT for .16 going to the server.

Your router will not accept NAT for .16 to the server, because it already has NAT for .15 to the server.

I suggest you ask the ISP to use .15 instead. Perhaps they did not want to use it before since they did not know the webmail is on the same server as whatever .15 is. If you tell them it is the same server, they will probably agree and change it.

Author

Commented:
I can make the request to point it .15, but are you sure it will work?

Commented:
I am pretty sure it will work - unless they are using some really odd reverse proxy software.

Author

Commented:
i asked from my ISP that what is on .15, and he has send me the response which i have send you throught the email, please check it.
thanks...
Most Valuable Expert 2011

Commented:
I tried to understand what all was happening here, but the thread has just gotten way to long to follow all of it.  But it sounds like a classic problem here to me that many people make when NAT'ing things.

When user/clients are on the same side of the NAT device that the destination Resource is on then the users must go directly to the Resource without going through the NAT device

When users/clients are on the outside of the NAT device and the Resource is on the trusted inside of the device then they obviously use the NAT device to get there.

If the resource is accessed by "name" then Split-DNS is the most common approach.  If IP#s as used for access then the right IP has to be used.

Author

Commented:
well no progress have been made on the question so far, you can see the question,
the only change that have been made in the question is if you read the email of the ISP in the start, "These proxies forward the traffic to nnn.nnn.nnn.nn  port 81. (his lotus domino server)", so instead of .16 now its .15, and an access rule have been adedd to the firewall router which is,
access-list CITEC-IN extended permit tcp any host nnn.nnn.nnn.nn  eq 81
and the nat address for this is;
static (intf_dmz,intf_citec) nnn.nnn.nnn.nn  dmz_host_web01 netmask 255.255.255.255
 

Author

Commented:
there is a bit of progress, now i can access the webmail but on a different address,
http://web01.qao.qld.gov.au:81/Homepage.nsf
but it needs to be webmail.qao.qld.gov.au
 

Author

Commented:
do i have to add any NAT rules for the 131* address on the router according to the ISP email......

Author

Commented:
I have 1 hour left, after that i have to assign it to someone else...if i cant do it......
Top Expert 2007

Commented:
Let me know if you still interested in finding a solution. If you say yes, i would require a basic drawing that includes interfaces and subnets, plus the sanitized config of your ASA firewall

Regards

Author

Commented:
yes i am still interested in finding the answer....
i can post the network diagram....
but the ASA config, is quite long, i can post it to you through email....
Top Expert 2007

Commented:
You can use file uploading tool here to upload it. Open it in notepad first, and replace the sensitive information such as public IPs with x.x.x.x and y.y.y.y usng ctrl+h

Author

Commented:
It got working, the issue was with the ISP, he didnt opened up the port, now everything is working fine, thanks for all your help and time...