Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 672
  • Last Modified:

Nat'ing issuse on a Cisco 881

I have a client who has a public network for offering wi-fi etc. Recently we separated those networks logically by 2 VLANs. The problem is that when anyone in the public network tries to access there remote webmail (hosted on a server within the internal network") they are unable to get it. The DNS record for there webmail points to the PUBLIC address

If I remove the access lists from the 2 VLAN interfaces the users on the public network still cannot get to the webmail website. Again they are hitting the website from the external IP not the private one, this is why I think it is an issue with NAT.

Users from public, for security reasons, are not allowed to see or access any PCs/servers on the private network.  Users in the public are using a 4.2.2.2 DNS server

So my question is this: How can I allow the public users access to there webmail from the public network?

Below is the current config:

Router#sh run
Building configuration...

Current configuration : 5566 bytes
!
! Last configuration change at 08:24:13 edt Fri Apr 22 2011
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 *****************
!
no aaa new-model
!
!
!
memory-size iomem 10
clock timezone est -5
clock summer-time edt recurring
!
crypto pki trustpoint TP-self-signed-
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate
 revocation-check none
 rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
 certificate self-signed 01
        quit
ip source-route
!
!
ip dhcp excluded-address 10.1.0.1
ip dhcp excluded-address 10.1.0.2 10.1.0.20
!
ip dhcp pool PUBLIC
   network 10.1.0.0 255.255.240.0
   dns-server 4.2.2.2
   default-router 10.1.0.1
   lease 8
!
!
ip cef
no ip domain lookup
ip domain name ********
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
no ipv6 cef
!
!
multilink bundle-name authenticated

!
!
username************* secret ***************
!
!
ip ssh time-out 30
ip ssh version 2
!
!
!
!
!
!
!
interface FastEthernet0
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 switchport access vlan 2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 description COMCAST
 ip address 173.12.2.205 255.255.255.252
 ip access-group FIREWALL in
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 !
!
interface Vlan1
 description LAN
 ip address 192.168.60.1 255.255.255.0
 ip access-group VLAN1 in
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan2
 description PUBLIC LAN
 ip address 10.1.0.1 255.255.240.0
 ip access-group VLAN2 in
 ip nat inside
 ip virtual-reassembly
 !
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.60.5 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.60.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.60.5 987 interface FastEthernet4 987
ip nat inside source static tcp 192.168.60.5 4125 interface FastEthernet4 4125
ip nat inside source static tcp 192.168.60.5 443 interface FastEthernet4 443
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 173.12.2.206
!
ip access-list extended FIREWALL
 permit tcp any any eq 22
 permit tcp any any eq 443
 permit tcp any any eq smtp
 permit tcp any any eq 4125
 permit tcp any any eq 987
 permit tcp any any eq www
 deny   tcp any any
 deny   udp any any
 deny   icmp any any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 permit ip any any
 permit tcp any eq 22 any
ip access-list extended VLAN1
 permit ip 192.168.60.0 0.0.0.255 host 10.1.0.28
 deny   ip 192.168.60.0 0.0.0.255 10.1.0.0 0.0.15.255
 permit ip any any
ip access-list extended VLAN2
 permit ip host 10.1.0.28 host 192.168.60.5
 deny   tcp 10.1.0.0 0.0.15.255 host 10.1.0.1 eq 22
 permit tcp 10.1.0.0 0.0.15.255 host 192.168.60.5 eq 443
 deny   tcp 10.1.0.0 0.0.15.255 192.168.60.0 0.0.0.255
 permit ip any any
!
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.15.255
no cdp run

!
!
!
!
!
control-plane
 !
!
banner login ^C AUTHORIZED PERSONAL ONLY!! ^C
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler max-task-time 5000
end
0
2knetworks
Asked:
2knetworks
  • 2
1 Solution
 
Craig BeckCommented:
This isn't supported by Cisco's implementation of NAT on any router AFAIK.  You can 'sort-of' do it using an ASA I think but some of the other experts can correct me on that if I'm wrong :-)

You would have to use DNS for this, by pointing the clients on the public network to the internal IP of the mail server.  However, as you said you can't let public clients use internal servers you would have to put a separate DNS server on the public network and run a split-DNS.
0
 
2knetworksAuthor Commented:
If had the clients on the public VPN into the router, would this also work? The access lists would not block this would they?
0
 
Craig BeckCommented:
They would still be using an internal IP address - which would still leave you with the same issue.  The ACLs won't be blocking access, but you can test that by removing them from each interface.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now