We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Nat'ing issuse on a Cisco 881

Medium Priority
686 Views
Last Modified: 2012-05-11
I have a client who has a public network for offering wi-fi etc. Recently we separated those networks logically by 2 VLANs. The problem is that when anyone in the public network tries to access there remote webmail (hosted on a server within the internal network") they are unable to get it. The DNS record for there webmail points to the PUBLIC address

If I remove the access lists from the 2 VLAN interfaces the users on the public network still cannot get to the webmail website. Again they are hitting the website from the external IP not the private one, this is why I think it is an issue with NAT.

Users from public, for security reasons, are not allowed to see or access any PCs/servers on the private network.  Users in the public are using a 4.2.2.2 DNS server

So my question is this: How can I allow the public users access to there webmail from the public network?

Below is the current config:

Router#sh run
Building configuration...

Current configuration : 5566 bytes
!
! Last configuration change at 08:24:13 edt Fri Apr 22 2011
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 *****************
!
no aaa new-model
!
!
!
memory-size iomem 10
clock timezone est -5
clock summer-time edt recurring
!
crypto pki trustpoint TP-self-signed-
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate
 revocation-check none
 rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
 certificate self-signed 01
        quit
ip source-route
!
!
ip dhcp excluded-address 10.1.0.1
ip dhcp excluded-address 10.1.0.2 10.1.0.20
!
ip dhcp pool PUBLIC
   network 10.1.0.0 255.255.240.0
   dns-server 4.2.2.2
   default-router 10.1.0.1
   lease 8
!
!
ip cef
no ip domain lookup
ip domain name ********
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
no ipv6 cef
!
!
multilink bundle-name authenticated

!
!
username************* secret ***************
!
!
ip ssh time-out 30
ip ssh version 2
!
!
!
!
!
!
!
interface FastEthernet0
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 switchport access vlan 2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 description COMCAST
 ip address 173.12.2.205 255.255.255.252
 ip access-group FIREWALL in
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 !
!
interface Vlan1
 description LAN
 ip address 192.168.60.1 255.255.255.0
 ip access-group VLAN1 in
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan2
 description PUBLIC LAN
 ip address 10.1.0.1 255.255.240.0
 ip access-group VLAN2 in
 ip nat inside
 ip virtual-reassembly
 !
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.60.5 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.60.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.60.5 987 interface FastEthernet4 987
ip nat inside source static tcp 192.168.60.5 4125 interface FastEthernet4 4125
ip nat inside source static tcp 192.168.60.5 443 interface FastEthernet4 443
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 173.12.2.206
!
ip access-list extended FIREWALL
 permit tcp any any eq 22
 permit tcp any any eq 443
 permit tcp any any eq smtp
 permit tcp any any eq 4125
 permit tcp any any eq 987
 permit tcp any any eq www
 deny   tcp any any
 deny   udp any any
 deny   icmp any any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 permit ip any any
 permit tcp any eq 22 any
ip access-list extended VLAN1
 permit ip 192.168.60.0 0.0.0.255 host 10.1.0.28
 deny   ip 192.168.60.0 0.0.0.255 10.1.0.0 0.0.15.255
 permit ip any any
ip access-list extended VLAN2
 permit ip host 10.1.0.28 host 192.168.60.5
 deny   tcp 10.1.0.0 0.0.15.255 host 10.1.0.1 eq 22
 permit tcp 10.1.0.0 0.0.15.255 host 192.168.60.5 eq 443
 deny   tcp 10.1.0.0 0.0.15.255 192.168.60.0 0.0.0.255
 permit ip any any
!
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.15.255
no cdp run

!
!
!
!
!
control-plane
 !
!
banner login ^C AUTHORIZED PERSONAL ONLY!! ^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler max-task-time 5000
end
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2014
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
If had the clients on the public VPN into the router, would this also work? The access lists would not block this would they?
CERTIFIED EXPERT
Top Expert 2014

Commented:
They would still be using an internal IP address - which would still leave you with the same issue.  The ACLs won't be blocking access, but you can test that by removing them from each interface.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.