Announcement

Collapse
No announcement yet.

cisco route public IP [part2]

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco route public IP [part2]

    Hello Everyone

    Here is my hardware setup:

    CISCO 2651XM
    fa0/0--->to internet
    fa0/1-->to-lan (192.168.40.0/24)
    fa0.1.50->to-lan (192.168.50.0/24)

    the 2 subnets are interouted ( can communicate each others )

    3 public IPs from my ISP

    and router setup:


    interface FastEthernet0/0
    description _WAN_INTERFACE_
    ip address 146.67.200.200255.255.255.240 secondary
    ip address 146.67.200.200 255.255.255.240 secondary
    ip address 146.74.17.254 255.255.240.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside

    interface FastEthernet0/1.50
    encapsulation dot1Q 50
    ip address 192.168.50.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    end

    interface FastEthernet0/1.1
    description Native_VLAN_1
    encapsulation dot1Q 1 native
    ip address 192.168.40.101 255.255.255.0
    ip nbar protocol-discovery
    ip nat inside
    ip virtual-reassembly
    no ip mroute-cache
    end

    ip nat inside source static 192.168.50.200 146.67.200.200
    ip nat inside source static 192.168.50.243 146.67.200.201

    i have 2 web+smtp servers on both internal ips

    So:

    SMTP+WEB connection to from internet to 146.67.200.200 =OK
    SMTP+WEB connection to from internet to 146.67.200.201 =OK

    but...

    192.168.50.20:
    ping 146.67.200.200 = OK
    telnet 146.67.200.200 25/80 failed

    So from local network i can ping names ( DNS is working ) but somehow forwarding from LANS--> the public IPS = failed ...

    I do not get it what is wrong
    ...

  • #2
    Re: cisco route public IP [part2]

    I dont see any nat config for your lan subnets? At least not what you posted. Also why the secondary ip's on your wan interface? You have the static nat's in place. If your isp assigned those ip's to you then they will route any traffic for those ip's to your router. The router will then proxy arp for those public ip's and use your static nat's to forward it internally.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: cisco route public IP [part2]

      ip nat inside source list 101 interface FastEthernet0/0 overload

      ip nat inside source static 192.168.50.200 146.67.200.200

      ip nat inside source static 192.168.50.243 146.67.200.201

      ip access-lists 101
      Extended IP access list 101
      10 deny ip any 192.168.80.0 0.0.0.255
      20 permit ip 192.168.40.0 0.0.0.255 any
      30 permit udp any any eq domain
      40 permit udp any eq domain any
      50 permit tcp any any eq domain
      60 permit tcp any eq domain any
      70 permit ip 192.168.80.0 0.0.0.255 any
      80 permit ip 192.168.50.0 0.0.0.255 any

      about secondary IPs, one tech guy from ISP told me to assign designates IPs as secondarys IP to my WAN interface ...


      failed attempt to ping and telnet from local machine

      core1#sh ip nat tra | inc 50.200
      --- --- --- 146.67.200.200 192.168.50.200
      tcp 146.67.200.200:38370 192.168.50.242:38370 146.67.200.200:143 192.168.50.242:143
      icmp 146.67.200.200:53264 192.168.50.242:53264 146.67.200.200:53264 192.168.50.242:53264
      Last edited by fritz001; 25th February 2013, 17:40.

      Comment


      • #4
        Re: cisco route public IP [part2]

        Are you trying to ping telnet to the public ip's of your internal hosts? Why would you want to do this? Why not just use their private ip's?
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: cisco route public IP [part2]

          SMTP1 listening on public IP1 <--> SMTP2 listening on public IP2 ( delivery failure:
          deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connecti on._(#4.4.1))


          however SMTP1/2 can send/receive messages w/o any issue to outside world.....

          so back to my pb

          internal ip1 --> telnet to assigned public IP1 failed ....



          is some config issues ????

          Comment


          • #6
            Re: cisco route public IP [part2]

            Again why would you want to access your internal host via its public ip address? The problem is that static nat only works from outside to inside. Meaning that anything sourced on the outside destined for that public ip then translate to the private. The issue is that your traffic is coming from the inside interface so it wont work. Its a design issue. There really isn't a need to do this as you can reach the internal host by its private ip. The only real reason to do this if for example you had a server internally but your dns was hosted outside your network (no internal dns) You would have to do dns doctoring.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: cisco route public IP [part2]

              i think I got it now

              and now, how do I define an access list to limit only www/smtp traffic for pulic ip IP1 ?

              Comment


              • #8
                Re: cisco route public IP [part2]

                permit tcp any x.x.x.x y.y.y.y eq www
                permit tcp any x.x.x.x y.y.y.y eq smtp

                apply inbound to outside interface.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: cisco route public IP [part2]

                  Yes, thanks for all the infos

                  anyway for only and last pb I still have


                  SMTI1 on IP1 and SMT2 on IP2 can not send between them

                  I'm using 2 registered domains + my own DNS ( for both zones )

                  or it just case : to use split view dns .....

                  Comment


                  • #10
                    Re: cisco route public IP [part2]

                    If you have internal dns then there shouldn't be a need for a split dns. Are they communicating using there internal addresses? Not sure how your smtp servers are setup. I think at this point it would be better to hire a consultant.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: cisco route public IP [part2]

                      well... finally solved ( had to modify some setting to my DNS , but no split view )

                      once again thanks for support !!

                      Comment

                      Working...
                      X