Cisco Catalyst 2950
we want to open up a connection to the inside and outside world, my ISP has done this
"I have setup a reverse proxy on our revproxies listening on nnn.nnn.nnn.nn and nnn.nnn.nnn.nn listening on the http port (80).
I have setup DNS entries for the two domains webmail.au and contracts.au pointing to both of these addresses.
These proxies forward the traffic to nnn.nnn.nnn.nn port 81. (his lotus domino server)
The client will need to do the redirects to the nsf files himself based on the names passed.
I have tried to test the connection from the proxy servers to the client server.
tests failed.
The client will need to ensure he allows access to his server nnn.nnn.nnn.nn from the our proxy servers nnn.nnn.nnn.nn and nnn.nnn.nnn.nn ."
i will write down the show run, for the switch.......
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname q10
!
!
clock timezone UTC 10
ip subnet-zero
!
cluster enable q10
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
description CITEC ADSL Router
switchport mode access
duplex full
spanning-tree portfast
!
interface FastEthernet0/2
description CITEC to QAO-FW1-Primary (mgmt)
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
description CITEC to QAO-FW1-Secondary (mgmt)
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
description SOUL ADSL Router
switchport access vlan 102
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpdufilter enable
!
interface FastEthernet0/5
description SOUL to QAO-FW1-Primary (e0/0)
switchport access vlan 102
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
description SOUL to QAO-FW1-Secondary (e0/0)
switchport access vlan 102
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/7
description AMQLD Server
switchport access vlan 103
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/8
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/9
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/10
description Magellan Server
switchport access vlan 104
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/11
description WEB01
switchport access vlan 104
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/12
description Connection to QAO_ASA_10_Primary (e0/2) (CITEC)
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/13
description Connection to QAO_ASA_10_Secondary (e0/2) (CITEC)
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/14
description Germes Monitoring
switchport access vlan 106
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/15
description Connection to QAO-FW1-Primary (e0/2)
switchport mode trunk
!
interface FastEthernet0/16
description Connection to QAO-FW1-Secondary (e0/2)
switchport mode trunk
!
interface FastEthernet0/17
switchport mode access
spanning-tree portfast
--More—
interface FastEthernet0/18
description Lotus Cluster Network
switchport access vlan 106
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/19
description Lotus Cluster Network
switchport access vlan 106
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/20
description Lotus Cluster Network
switchport access vlan 106
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/21
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/22
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/23
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/24
description Telstra GWIP Connection
switchport access vlan 105
switchport mode access
speed 100
duplex full
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/1
description Connection to QAO-ASA-10-Primary (e0/0)
switchport access vlan 105
switchport mode access
!
interface GigabitEthernet0/2
description Connection to QAO-ASA-10-Secondary (e0/0)
switchport access vlan 105
--More—
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan106
ip address nnn.nnn.nnn.nn
no ip route-cache
!
ip http server
!
ip access-list extended CMP-NAT-ACL
dynamic Cluster-HSRP deny ip any any
dynamic Cluster-NAT permit ip any any
access-list 60 permit nnn.nn.n.n
snmp-server community q
snmp-server community qa
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
ntp clock-period 1
ntp server nnn.nnn.n.n
!
end
kindly let me know if i have to do any firewall configuration, or should i add the IP addresses to the VLAN 104....
one of the server NIC is already connected to this switch on port 11 (i.e. VLAN 104), so should i add one more interface and VLAN port?
"I have setup a reverse proxy on our revproxies listening on nnn.nnn.nnn.nn and nnn.nnn.nnn.nn listening on the http port (80).
I have setup DNS entries for the two domains webmail.au and contracts.au pointing to both of these addresses.
These proxies forward the traffic to nnn.nnn.nnn.nn port 81. (his lotus domino server)
The client will need to do the redirects to the nsf files himself based on the names passed.
I have tried to test the connection from the proxy servers to the client server.
tests failed.
The client will need to ensure he allows access to his server nnn.nnn.nnn.nn from the our proxy servers nnn.nnn.nnn.nn and nnn.nnn.nnn.nn ."
i will write down the show run, for the switch.......
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname q10
!
!
clock timezone UTC 10
ip subnet-zero
!
cluster enable q10
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
description CITEC ADSL Router
switchport mode access
duplex full
spanning-tree portfast
!
interface FastEthernet0/2
description CITEC to QAO-FW1-Primary (mgmt)
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
description CITEC to QAO-FW1-Secondary (mgmt)
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
description SOUL ADSL Router
switchport access vlan 102
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpdufilter enable
!
interface FastEthernet0/5
description SOUL to QAO-FW1-Primary (e0/0)
switchport access vlan 102
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/6
description SOUL to QAO-FW1-Secondary (e0/0)
switchport access vlan 102
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/7
description AMQLD Server
switchport access vlan 103
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/8
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/9
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/10
description Magellan Server
switchport access vlan 104
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/11
description WEB01
switchport access vlan 104
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/12
description Connection to QAO_ASA_10_Primary (e0/2) (CITEC)
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/13
description Connection to QAO_ASA_10_Secondary (e0/2) (CITEC)
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/14
description Germes Monitoring
switchport access vlan 106
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/15
description Connection to QAO-FW1-Primary (e0/2)
switchport mode trunk
!
interface FastEthernet0/16
description Connection to QAO-FW1-Secondary (e0/2)
switchport mode trunk
!
interface FastEthernet0/17
switchport mode access
spanning-tree portfast
--More—
interface FastEthernet0/18
description Lotus Cluster Network
switchport access vlan 106
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/19
description Lotus Cluster Network
switchport access vlan 106
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/20
description Lotus Cluster Network
switchport access vlan 106
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/21
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/22
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/23
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/24
description Telstra GWIP Connection
switchport access vlan 105
switchport mode access
speed 100
duplex full
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/1
description Connection to QAO-ASA-10-Primary (e0/0)
switchport access vlan 105
switchport mode access
!
interface GigabitEthernet0/2
description Connection to QAO-ASA-10-Secondary (e0/0)
switchport access vlan 105
--More—
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan106
ip address nnn.nnn.nnn.nn
no ip route-cache
!
ip http server
!
ip access-list extended CMP-NAT-ACL
dynamic Cluster-HSRP deny ip any any
dynamic Cluster-NAT permit ip any any
access-list 60 permit nnn.nn.n.n
snmp-server community q
snmp-server community qa
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
ntp clock-period 1
ntp server nnn.nnn.n.n
!
end
kindly let me know if i have to do any firewall configuration, or should i add the IP addresses to the VLAN 104....
one of the server NIC is already connected to this switch on port 11 (i.e. VLAN 104), so should i add one more interface and VLAN port?
hi!
Cisco 2950 is L2 switch and it can't route traffic between subnets (so IP address in vlan104 on the will not do any good to your problem).
you are talking about some services (proxy, lotus etc) which are not part of L2 switch.
what kind of help do you want to get here?
Cisco 2950 is L2 switch and it can't route traffic between subnets (so IP address in vlan104 on the will not do any good to your problem).
you are talking about some services (proxy, lotus etc) which are not part of L2 switch.
what kind of help do you want to get here?
The Catalyst 2950 is a layer 2 switch, and will not route traffic. If you add an IP to VLAN 104 it will just become a management IP (and remove the old one).
The ISP reverse proxy servers and the Domino server are all on public IP, so I believe we can assume that routing is OK.
Most likely what you need to do is manage firewall configurations.
Ports 1, 2 and 3 seems to be in VLAN 1 and that is probably on the public internet. Ports 2 and 3 seems to be firewalls - and should than be their public interfaces. These firewalls probably have other interfaces in VLAN 104, where the Domino server is located - although that is not clear from the switch config.
Effectively, the firewalls needs rules that allow incoming port 81 from the two servers of the ISP.
Still, you need a clear picture of the network first...
The ISP reverse proxy servers and the Domino server are all on public IP, so I believe we can assume that routing is OK.
Most likely what you need to do is manage firewall configurations.
Ports 1, 2 and 3 seems to be in VLAN 1 and that is probably on the public internet. Ports 2 and 3 seems to be firewalls - and should than be their public interfaces. These firewalls probably have other interfaces in VLAN 104, where the Domino server is located - although that is not clear from the switch config.
Effectively, the firewalls needs rules that allow incoming port 81 from the two servers of the ISP.
Still, you need a clear picture of the network first...
the configuration which the ISP has done, i dont really understand what he has done, and what i have to do?
First of all, I would not really change anything without having a clear network diagram - pen and paper is fine... Do some trace route to and from server as a start of drawing up the diagram.
The firewall needs a rule that allow incoming TCP on port 81 with from IPs as the two servers of the ISP and to IP as the Domino server.
The firewall needs a rule that allow incoming TCP on port 81 with from IPs as the two servers of the ISP and to IP as the Domino server.
would it be possible i can send you my running config by email.....because i dont want to post all the IP's here...
@from exp: we want to open up our firewall for webmail, so i guess i have to set up NAT and access list....
do i have to do something like this?
static (intf_dmz,intf_citec) nnn.nnn.nnn.nn dmz_host_web01 netmask 255.255.255.255
access-list CITEC-IN extended permit tcp host nnn.nnn.nnn.nn host nnn.nnn.nnn.nn eq 81
access-list CITEC-IN extended permit tcp host nnn.nnn.nnn.nn host nnn.nnn.nnn.nn eq 81
is there any syntax error...
static (intf_dmz,intf_citec) nnn.nnn.nnn.nn dmz_host_web01 netmask 255.255.255.255
access-list CITEC-IN extended permit tcp host nnn.nnn.nnn.nn host nnn.nnn.nnn.nn eq 81
access-list CITEC-IN extended permit tcp host nnn.nnn.nnn.nn host nnn.nnn.nnn.nn eq 81
is there any syntax error...
i tried to input the Nat rule, but its giving an error,
""ERROR: duplicate of existing static
intf_dmz:dmz_host_web01 to intf_citec:nnn.nnn.nnn.nn 5 netmask 255.255.255.255"
although the nat rule is on .16
am i missing something....
""ERROR: duplicate of existing static
intf_dmz:dmz_host_web01 to intf_citec:nnn.nnn.nnn.nn 5 netmask 255.255.255.255"
although the nat rule is on .16
am i missing something....
You best option here is to use .15 also for the webmail.
Ask you ISP to change it on their reverse proxies.
Change what ever DNS record you have set up for webmail.
Use .15 also in the access-list configuration lines.
Ask you ISP to change it on their reverse proxies.
Change what ever DNS record you have set up for webmail.
Use .15 also in the access-list configuration lines.
for static route there is an entry...
static (intf_dmz,intf_citec) nnn.nnn.nnn.nn dmz_host_web01 netmask 255.255.255.255
and for access list there are enteries for this....
access-list CITEC-IN extended permit tcp any host nnn.nnn.nnn.nn eq www
access-list CITEC-IN extended permit tcp any host nnn.nnn.nnn.nn eq https
my guess was they are already being used for something else, thats why they provide us .16
The webserver software on the server should tell you if anything is configured on the IP.
If there is a problem running two websites on the IP, you need to set up a second IP (.16) on the same server.
In general though, if you have configured the webmail software to run (assume that is a Lotus Notes issue) then it should be fine.
If there is a problem running two websites on the IP, you need to set up a second IP (.16) on the same server.
In general though, if you have configured the webmail software to run (assume that is a Lotus Notes issue) then it should be fine.
thats what the ISP has done, they have given us a new IP which is .16, and i tried to add the IP on the router but it didnt accepted it....
and Lotus webmail is going to run on that IP address.....
and Lotus webmail is going to run on that IP address.....
You have 15 NATed to one private IP. Ideally, you should be able run two web sites on that. If this is not possible, due to the reverse proxy or due to the webserver - then we need a new IP.
If we do need a new IP, your will use a new public IP (.16) and a new private IP on the server. You may map that private IP to a new name, like dmz_host_web01_b. Still, you also need to add the IP to the NIC (interface) and also have the webserver put the webmail site on that IP.
I suggest you put a PC on the same LAN as the server and try your websites from there - both the webmail and what ever other site there is. Still, this is not really a networking issue, but more a webserver issue now...
If we do need a new IP, your will use a new public IP (.16) and a new private IP on the server. You may map that private IP to a new name, like dmz_host_web01_b. Still, you also need to add the IP to the NIC (interface) and also have the webserver put the webmail site on that IP.
I suggest you put a PC on the same LAN as the server and try your websites from there - both the webmail and what ever other site there is. Still, this is not really a networking issue, but more a webserver issue now...
Well I guess to host webmails I don’t think I need to add that interface .16 to NIC, the ISP has already done the required changes…in his email he mentioned that “ he has setup DNS entries for the two domains webmail.au and contracts.au, and the proxies forward the traffic to .16 (lotus domino server)”
If the DNS records exist on the server and pointing to the right IP, I don’t think I need to put a PC, the reason why I am saying that is because my ISP has suggested that as well, and all its needs to be done, is to allow .16 on proxy server nnn.nnn.nnn.nn and nnn.nnn.nnn.nn .
Now I have entered the access list but it didn’t worked out, so something more needs to be done on the firewall….
Your ACL allows port 81 to go via .16, but you do not have NAT for .16 going to the server.
Your router will not accept NAT for .16 to the server, because it already has NAT for .15 to the server.
I suggest you ask the ISP to use .15 instead. Perhaps they did not want to use it before since they did not know the webmail is on the same server as whatever .15 is. If you tell them it is the same server, they will probably agree and change it.
Your router will not accept NAT for .16 to the server, because it already has NAT for .15 to the server.
I suggest you ask the ISP to use .15 instead. Perhaps they did not want to use it before since they did not know the webmail is on the same server as whatever .15 is. If you tell them it is the same server, they will probably agree and change it.
i asked from my ISP that what is on .15, and he has send me the response which i have send you throught the email, please check it.
thanks...
thanks...
I tried to understand what all was happening here, but the thread has just gotten way to long to follow all of it. But it sounds like a classic problem here to me that many people make when NAT'ing things.
When user/clients are on the same side of the NAT device that the destination Resource is on then the users must go directly to the Resource without going through the NAT device
When users/clients are on the outside of the NAT device and the Resource is on the trusted inside of the device then they obviously use the NAT device to get there.
If the resource is accessed by "name" then Split-DNS is the most common approach. If IP#s as used for access then the right IP has to be used.
When user/clients are on the same side of the NAT device that the destination Resource is on then the users must go directly to the Resource without going through the NAT device
When users/clients are on the outside of the NAT device and the Resource is on the trusted inside of the device then they obviously use the NAT device to get there.
If the resource is accessed by "name" then Split-DNS is the most common approach. If IP#s as used for access then the right IP has to be used.
well no progress have been made on the question so far, you can see the question,
the only change that have been made in the question is if you read the email of the ISP in the start, "These proxies forward the traffic to nnn.nnn.nnn.nn port 81. (his lotus domino server)", so instead of .16 now its .15, and an access rule have been adedd to the firewall router which is,
access-list CITEC-IN extended permit tcp any host nnn.nnn.nnn.nn eq 81
and the nat address for this is;
static (intf_dmz,intf_citec) nnn.nnn.nnn.nn dmz_host_web01 netmask 255.255.255.255
the only change that have been made in the question is if you read the email of the ISP in the start, "These proxies forward the traffic to nnn.nnn.nnn.nn port 81. (his lotus domino server)", so instead of .16 now its .15, and an access rule have been adedd to the firewall router which is,
access-list CITEC-IN extended permit tcp any host nnn.nnn.nnn.nn eq 81
and the nat address for this is;
static (intf_dmz,intf_citec) nnn.nnn.nnn.nn dmz_host_web01 netmask 255.255.255.255
there is a bit of progress, now i can access the webmail but on a different address,
http://web01.qao.qld.gov.au:81/Homepage.nsf
but it needs to be webmail.qao.qld.gov.au
http://web01.qao.qld.gov.au:81/Homepage.nsf
but it needs to be webmail.qao.qld.gov.au
Let me know if you still interested in finding a solution. If you say yes, i would require a basic drawing that includes interfaces and subnets, plus the sanitized config of your ASA firewall
Regards
Regards
yes i am still interested in finding the answer....
i can post the network diagram....
but the ASA config, is quite long, i can post it to you through email....
i can post the network diagram....
but the ASA config, is quite long, i can post it to you through email....
Premium Content
You need an Expert Office subscription to comment.Start Free Trial