[c-nsp] route problem
David Rose
mailing-list at technicelixir.com
Tue Nov 18 10:40:56 EST 2008
My best guess is that you have a NAT problem. Since your router is
doing NAT, the outside interface is probably the one facing the
internet. However, the guest users are coming from the inside of your
network, so the router can't send them out the internet facing interface
to come back into the external NAT address for your web servers.
There are ways to address this, both with DNS and with reconfiguration,
but the best approach would depend on your setup.
David
Dan Letkeman wrote:
> Sorry for the poor diagram.
>
> The vlan's are both on the 3560 and the 3560 is in routing mode. It's
> default route is the 2801 router which does the nat for the internet
> connection. Normal users are fine because they use are internal dns
> servers and have access to our internal web server.
>
> What is happening on the guest vlan is when someone goes to
> www.ourwebsite.com (this being our internal web server) they are
> resolving our external ip address for the site, but they are trying to
> access the site via the external ip address from the inside of the
> router. I'm sure it's just an access list problem.
>
> Not sure I quite understand how show ip route will help...
>
> Dan.
>
> On Mon, Nov 17, 2008 at 5:48 PM, Rodney Dunn <rodunn at cisco.com> wrote:
>
>> I'm assuming your diagram was:
>>
>> normal user----vlan 500---3560 switch---2801router---internet
>> gusest users---vlan 167--/
>>
>> such that inter vlan routing would happen on the 3560.
>>
>> Just follow the packet via 'sh ip route'.
>>
>> So a norma user goes to a webserver..what is the address?
>>
>> When the packet leaves the normal user does it make it in the
>> 3560 ACL on the ingress interface?
>> If so, what does 'sh ip route' say for the destination of the packet?
>> Go to next hop...etc..
>>
>> Rodney
>>
>>
>> On Mon, Nov 17, 2008 at 05:05:42PM -0600, Dan Letkeman wrote:
>>
>>> Hello,
>>>
>>> I have setup a guest vlan for internet access. When the users connect
>>> to the guest network they get only internet access and no access to
>>> any of the servers on the rest of the network. The problem I'm having
>>> now is that the users on the guest network cannot access our internal
>>> web servers. I'm wondering if this is a simple access list problem or
>>> is it a route problem?
>>>
>>> topology is a follows:
>>>
>>>
>>> normal user----------vlan 500--------------3560 switch----------2801
>>> router------------internet
>>> |
>>> |
>>> guest users---------vlan 167---------------------
>>>
>>>
>>> There is an access list on vlan 167 on the 3560 switch that only
>>> allows the guest users access to the internet. So when I do a trace
>>> route from the guest network to the internal web address I get a
>>> timeout at the router. The internal web server resolves with our
>>> external ip address because the guest users are not using our internal
>>> dns servers.
>>>
>>> Any ideas where I should start?
>>>
>>> Dan.
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list