[c-nsp] route problem

David Rose mailing-list at technicelixir.com
Tue Nov 18 11:44:04 EST 2008


Here are some options:
1. Grant access to DNS servers you control and do split-horizon.  That
way you can control what responses the guest users get for my internal
resources.
2. Do the routing for the guest VLAN on the router and make the
subinterface for the guest VLAN a NAT outside interface as well (I seem
to remember this works, but you may want to test).  Or if you have a
spare interface on the router, you could dedicate a port to the guest VLAN.
3. Use NAT on a stick.  Seem to remember seeing someone with this
working once, but I wouldn't recommend it as it will degrade router
performance (all packets are process switched).
4. Do NAT on the 3560 for the web server.  Again, I wouldn't recommend
this as NAT on switches tends to be far more CPU hungry than on
routers/firewalls.

Those are the options that come to mind quickly, but I know there are
others if I were to look into it further.

David




Dan Letkeman wrote:
> Nat problems makes sense.  I thought about allowing access to the
> local dns servers and local web servers via the access list on the
> 3560 and then changing the guest users dhcp server so they use the
> local dns servers.
>
> Any other ideas?
>
> Thanks,
> Dan.
>
> On Tue, Nov 18, 2008 at 9:40 AM, David Rose
> <mailing-list at technicelixir.com> wrote:
>   
>> My best guess is that you have a NAT problem.  Since your router is
>> doing NAT, the outside interface is probably the one facing the
>> internet.  However, the guest users are coming from the inside of your
>> network, so the router can't send them out the internet facing interface
>> to come back into the external NAT address for your web servers.
>>
>> There are ways to address this, both with DNS and with reconfiguration,
>> but the best approach would depend on your setup.
>>
>> David
>>
>>
>>
>>
>>
>> Dan Letkeman wrote:
>>     
>>> Sorry for the poor diagram.
>>>
>>> The vlan's are both on the 3560 and the 3560 is in routing mode.  It's
>>> default route is the 2801 router which does the nat for the internet
>>> connection.  Normal users are fine because they use are internal dns
>>> servers and have access to our internal web server.
>>>
>>> What is happening on the guest vlan is when someone goes to
>>> www.ourwebsite.com (this being our internal web server) they are
>>> resolving our external ip address for the site, but they are trying to
>>> access the site via the external ip address from the inside of the
>>> router.  I'm sure it's just an access list problem.
>>>
>>> Not sure I quite understand how show ip route will help...
>>>
>>> Dan.
>>>
>>> On Mon, Nov 17, 2008 at 5:48 PM, Rodney Dunn <rodunn at cisco.com> wrote:
>>>
>>>       
>>>> I'm assuming your diagram was:
>>>>
>>>> normal user----vlan 500---3560 switch---2801router---internet
>>>> gusest users---vlan 167--/
>>>>
>>>> such that inter vlan routing would happen on the 3560.
>>>>
>>>> Just follow the packet via 'sh ip route'.
>>>>
>>>> So a norma user goes to a webserver..what is the address?
>>>>
>>>> When the packet leaves the normal user does it make it in the
>>>> 3560 ACL on the ingress interface?
>>>> If so, what does 'sh ip route' say for the destination of the packet?
>>>> Go to next hop...etc..
>>>>
>>>> Rodney
>>>>
>>>>
>>>> On Mon, Nov 17, 2008 at 05:05:42PM -0600, Dan Letkeman wrote:
>>>>
>>>>         
>>>>> Hello,
>>>>>
>>>>> I have setup a guest vlan for internet access.  When the users connect
>>>>> to the guest network they get only internet access and no access to
>>>>> any of the servers on the rest of the network.  The problem I'm having
>>>>> now is that the users on the guest network cannot access our internal
>>>>> web servers.  I'm wondering if this is a simple access list problem or
>>>>> is it a route problem?
>>>>>
>>>>> topology is a follows:
>>>>>
>>>>>
>>>>> normal user----------vlan 500--------------3560 switch----------2801
>>>>> router------------internet
>>>>>                                                           |
>>>>>                                                           |
>>>>> guest users---------vlan 167---------------------
>>>>>
>>>>>
>>>>> There is an access list on vlan 167 on the 3560 switch that only
>>>>> allows the guest users access to the internet.  So when I do a trace
>>>>> route from the guest network to the internal web address I get a
>>>>> timeout at the router.  The internal web server resolves with our
>>>>> external ip address because the guest users are not using our internal
>>>>> dns servers.
>>>>>
>>>>> Any ideas where I should start?
>>>>>
>>>>> Dan.
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>
>>>>>           
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>>       
>>     
>
>   



More information about the cisco-nsp mailing list