[c-nsp] route problem

Dan Letkeman danletkeman at gmail.com
Mon Nov 17 23:12:25 EST 2008


Sorry for the poor diagram.

The vlan's are both on the 3560 and the 3560 is in routing mode.  It's
default route is the 2801 router which does the nat for the internet
connection.  Normal users are fine because they use are internal dns
servers and have access to our internal web server.

What is happening on the guest vlan is when someone goes to
www.ourwebsite.com (this being our internal web server) they are
resolving our external ip address for the site, but they are trying to
access the site via the external ip address from the inside of the
router.  I'm sure it's just an access list problem.

Not sure I quite understand how show ip route will help...

Dan.

On Mon, Nov 17, 2008 at 5:48 PM, Rodney Dunn <rodunn at cisco.com> wrote:
> I'm assuming your diagram was:
>
> normal user----vlan 500---3560 switch---2801router---internet
> gusest users---vlan 167--/
>
> such that inter vlan routing would happen on the 3560.
>
> Just follow the packet via 'sh ip route'.
>
> So a norma user goes to a webserver..what is the address?
>
> When the packet leaves the normal user does it make it in the
> 3560 ACL on the ingress interface?
> If so, what does 'sh ip route' say for the destination of the packet?
> Go to next hop...etc..
>
> Rodney
>
>
> On Mon, Nov 17, 2008 at 05:05:42PM -0600, Dan Letkeman wrote:
>> Hello,
>>
>> I have setup a guest vlan for internet access.  When the users connect
>> to the guest network they get only internet access and no access to
>> any of the servers on the rest of the network.  The problem I'm having
>> now is that the users on the guest network cannot access our internal
>> web servers.  I'm wondering if this is a simple access list problem or
>> is it a route problem?
>>
>> topology is a follows:
>>
>>
>> normal user----------vlan 500--------------3560 switch----------2801
>> router------------internet
>>                                                           |
>>                                                           |
>> guest users---------vlan 167---------------------
>>
>>
>> There is an access list on vlan 167 on the 3560 switch that only
>> allows the guest users access to the internet.  So when I do a trace
>> route from the guest network to the internal web address I get a
>> timeout at the router.  The internal web server resolves with our
>> external ip address because the guest users are not using our internal
>> dns servers.
>>
>> Any ideas where I should start?
>>
>> Dan.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list