Options
Can't Access My website hosted on my internal webserver behind a Cisco Router
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Hello,
I have a website hosted on my .52 webserver, port 80 and 53 have been opened. I can access the website from the internet by using its public IP address but not its name (www.aaa.com).
Below is my configuration I have broken down my configuration into three phases
1) NAT for two ISP's : one Primary and one for backup.
2)Zone Based Firewall (outside to inside)
3)Zone Based Firewall (inside to outside): done using CCP
My Nat is working perfectly fine, I configured the Outside to Inside Zone opening up the relevant ports, and all the right ports are opened, I used CCP to configure the Inside to Outside Zone because I am not sure of all the ports that would need to be opened and is pretty straight forward with CCP.
-My internal DNS server is 10.0.0.1 and configured properly because it is currently working with a proprietary Firewall.
-From inside to outside everything works fine.
-I can ping my DNS server from my router, I have opened port 53 for my DNS server on ZBF.
-I can Ping my website on my 10.0.0.52 webserver from my Router using its name ie ping www.aaa.com and it shows it to resolve to the correct Public IP and ping successful.
-From the Internet I can access the website from the external Ip address http://216.140.140.4 (10.0.0.52- 216.140.140.4) but not as http://www.aaa.com.
however cant get it with its name
-I dont have a Nat entry for my internal DNS server however I have opened up Port 53 for it on Zone Based Firewall.
Now I dont understand how to provide the static Translation as I dont need the DNS server to really access the Internet, or am i getting something wrong?
Please would appreciate your help.
Bellow is my configuration.
1) NAT:
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PRIVATE-INGRESS
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0/1
ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY
ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
!
ip access-list standard DYNAMIC-PRIMARY
deny 10.0.0.24
deny 10.0.0.25
deny 10.0.0.30
deny 10.0.0.16
deny 10.0.0.22
deny 10.0.0.23
deny 10.0.0.21
deny 10.0.0.44
deny 10.0.0.33
deny 10.0.0.58
deny 10.0.0.59
deny 10.0.0.61
deny 10.0.0.54
deny 10.0.0.52
deny 10.0.0.53
deny 10.0.0.216
deny 10.0.0.220
deny 10.0.0.230
deny 10.0.0.228
deny 10.0.0.251
permit 10.0.0.0 0.255.255.255
ip access-list standard DYNAMIC-SECONDARY
permit 10.0.0.0 0.255.255.255
ip access-list standard PRIMARY-NEXT-HOP
permit 216.140.140.1
ip access-list standard SECONDARY-NEXT-HOP
permit 216.150.150.254
!
ip sla 1
icmp-echo 216.140.140.1 source-ip 216.140.140.2
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 216.150.150.254 source-ip 216.150.150.4
threshold 2
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
!
!
!
!
route-map STATIC-NAT-PRIMARY permit 10
match ip next-hop PRIMARY-NEXT-HOP
!
route-map STATIC-NAT-PRIMARY deny 20
!
route-map STATIC-NAT-SECONDARY permit 10
match ip next-hop SECONDARY-NEXT-HOP
!
route-map STATIC-NAT-SECONDARY deny 20
!
route-map SECONDARY-NAT permit 10
match ip address DYNAMIC-SECONDARY
match ip next-hop SECONDARY-NEXT-HOP
!
route-map SECONDARY-NAT deny 20
!
route-map PRIVATE-INGRESS permit 10
set ip next-hop verify-availability 216.140.140.1 10 track 1
set ip next-hop verify-availability 216.150.150.254 20 track 2
!
route-map PRIVATE-INGRESS permit 11
!
route-map PRIMARY-NAT permit 10
match ip address DYNAMIC-PRIMARY
match ip next-hop PRIMARY-NEXT-HOP
!
route-map PRIMARY-NAT deny 20
2) OUTSIDE TO INSIDE ZONE (ZBF):
Zone security out-zone
zone security in-zone
zone security teleworker
interface gi0/1
Zone-member security out-zone
interface gi0/0
zone-member security in-zone
interface gi0/2
ip address 10.1.0.254 255.255.255.0
zone-member security teleworker
exit
ip name-server 10.0.0.1
ip port-map user-RDP port tcp 3389
ip port-map user-WEBB port tcp 8080
zone-pair security OUT-IN source out-zone destination in-zone
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
ip access-list extended OUTSIDE-TO-INSIDE-WEB
permit tcp any host 10.0.0.23 eq 80
permit tcp any host 10.0.0.59 eq 80
permit tcp any host 10.0.0.61 eq 80
permit tcp any host 10.0.0.228 eq 80
permit tcp any host 10.0.0.16 eq 80
permit tcp any host 10.0.0.30 eq 80
permit tcp any host 10.0.0.52 eq 80
permit tcp any host 10.0.0.55 eq 80
class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
match protocol http
match access-group name OUTSIDE-TO-INSIDE-WEB
ip access-list extended OUTSIDE-TO-INSIDE-FTP
permit tcp any host 10.0.0.52 eq 20 21
permit tcp any host 10.0.0.23 eq 20 21
permit tcp any host 10.0.0.59 eq 20 21
permit tcp any host 10.0.0.61 eq 20 21
permit tcp any host 10.0.0.228 eq 20 21
permit tcp any host 10.0.0.55 eq 20 21
class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
match protocol ftp
match access-group name OUTSIDE-TO-INSIDE-FTP
ip access-list extended OUTSIDE-TO-INSIDE-SMTP
permit tcp any host 10.0.0.52 eq 25
permit tcp any host 10.0.0.23 eq 25
permit tcp any host 10.0.0.59 eq 25
permit tcp any host 10.0.0.61 eq 25
permit tcp any host 10.0.0.228 eq 25
permit tcp any host 10.0.0.55 eq 25
class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
match protocol smtp
match access-group name OUTSIDE-TO-INSIDE-SMTP
ip access-list extended OUTSIDE-TO-INSIDE-DNS
permit tcp any host 10.0.0.23 eq 53
permit udp any host 10.0.0.23 eq 53
permit tcp any host 10.0.0.59 eq 53
permit udp any host 10.0.0.59 eq 53
permit tcp any host 10.0.0.61 eq 53
permit udp any host 10.0.0.61 eq 53
permit tcp any host 10.0.0.228 eq 53
permit udp any host 10.0.0.228 eq 53
permit tcp any host 10.0.0.52 eq 53
permit udp any host 10.0.0.52 eq 53
permit tcp any host 10.0.0.55 eq 53
permit udp any host 10.0.0.55 eq 53
permit tcp any host 10.0.0.1 eq 53
permit udp any host 10.0.0.1 eq 53
class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
match protocol dns
match access-group name OUTSIDE-TO-INSIDE-DNS
ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.59 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.228 eq 443
permit tcp any host 10.0.0.55 eq 443
permit tcp any host 10.0.0.53 eq 443
class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
match protocol https
match access-group name OUTSIDE-TO-INSIDE-HTTPS
ip access-list extended OUTSIDE-TO-INSIDE-RDP
permit tcp any host 10.0.0.52 eq 3389
permit tcp any host 10.0.0.23 eq 3389
permit tcp any host 10.0.0.59 eq 3389
permit tcp any host 10.0.0.61 eq 3389
permit tcp any host 10.0.0.228 eq 3389
permit tcp any host 10.0.0.58 eq 3389
permit tcp any host 10.0.0.33 eq 3389
permit tcp any host 10.0.0.25 eq 3389
permit tcp any host 10.0.0.44 eq 3389
permit tcp any host 10.0.0.251 eq 3389
permit tcp any host 10.0.0.21 eq 3389
permit tcp any host 10.0.0.22 eq 3389
permit tcp any host 10.0.0.24 eq 3389
permit tcp any host 10.0.0.30 eq 3389
permit tcp any host 10.0.0.230 eq 3389
permit tcp any host 10.0.0.55 eq 3389
permit tcp any host 10.0.0.220 eq 3389
permit tcp any host 10.0.0.25 eq 3389
class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
match protocol user-RDP
match access-group name OUTSIDE-TO-INSIDE-RDP
ip access-list extended OUTSIDE-TO-INSIDE-WEBB
permit tcp any host 10.0.0.23 eq 8080
permit tcp any host 10.0.0.228 eq 8080
class-map type inspect match-all OUTSIDE-TO-INSIDE-WEBB-CLASS
match protocol user-WEBB
match access-group name OUTSIDE-TO-INSIDE-WEBB
ip access-list extended TELEWORKER-TO-OUTSIDE
permit ip host 10.1.0.254 any
class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
match access-group name TELEWORKER-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-TELEWORKER
permit ip any host 10.1.0.254
class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
match access-group name OUTSIDE-TO-TELEWORKER
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-WEBB-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
inspect
policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
class type inspect TELEWORKER-TO-OUTSIDE-CLASS
inspect
policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
class type inspect OUTSIDE-TO-TELEWORKER-CLASS
inspect
zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY
3) INSIDE TO OUTSIDE ZONE CONFIGURATION (USING CCP)
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
exit
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
exit
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
exit
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
exit
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
exit
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
exit
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
exit
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
exit
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
exit
class-map type inspect match-all ccp-protocol-imap
match protocol imap
exit
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
exit
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
exit
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
exit
class-map type inspect aol match-any ccp-app-aol
match service text-chat
exit
class-map type inspect match-all ccp-protocol-http
match protocol http
exit
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
exit
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
exit
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
exit
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
exit
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
exit
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
exit
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
exit
class-map type inspect match-any ccp-sip-inspect
match protocol sip
exit
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
exit
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
exit
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
exit
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
exit
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
exit
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
exit
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
exit
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
exit
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
exit
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
exit
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
exit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
exit
class-map type inspect imap match-any ccp-app-imap
match invalid-command
exit
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
exit
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
exit
exit
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
exit
class type inspect msnmsgr ccp-app-msn
log
allow
exit
class type inspect ymsgr ccp-app-yahoo
log
allow
exit
class type inspect aol ccp-app-aol-otherservices
log
reset
exit
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
exit
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
exit
exit
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
exit
class type inspect http ccp-app-httpmethods
log
reset
exit
class type inspect http ccp-http-allowparam
log
allow
exit
exit
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
exit
class type inspect edonkey ccp-app-edonkeydownload
log
allow
exit
class type inspect fasttrack ccp-app-fasttrack
log
allow
exit
class type inspect gnutella ccp-app-gnutella
log
allow
exit
class type inspect kazaa2 ccp-app-kazaa2
log
allow
exit
exit
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
exit
exit
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
policy-map type inspect ccp-permit
class class-default
exit
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
exit
class type inspect ccp-protocol-http
no drop
inspect
service-policy http ccp-action-app-http
exit
class type inspect ccp-protocol-imap
no drop
inspect
service-policy imap ccp-action-imap
exit
class type inspect ccp-protocol-pop3
no drop
inspect
service-policy pop3 ccp-action-pop3
exit
class type inspect ccp-protocol-p2p
no drop
inspect
service-policy p2p ccp-action-app-p2p
exit
class type inspect ccp-protocol-im
no drop
inspect
service-policy im ccp-action-app-im
exit
class type inspect ccp-insp-traffic
no drop
inspect
exit
class type inspect ccp-sip-inspect
no drop
inspect
exit
class type inspect ccp-h323-inspect
no drop
inspect
exit
class type inspect ccp-h323annexe-inspect
no drop
inspect
exit
class type inspect ccp-h225ras-inspect
no drop
inspect
exit
class type inspect ccp-h323nxg-inspect
no drop
inspect
exit
class type inspect ccp-skinny-inspect
no drop
inspect
exit
exit
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
exit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
exit
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
exit
I have a website hosted on my .52 webserver, port 80 and 53 have been opened. I can access the website from the internet by using its public IP address but not its name (www.aaa.com).
Below is my configuration I have broken down my configuration into three phases
1) NAT for two ISP's : one Primary and one for backup.
2)Zone Based Firewall (outside to inside)
3)Zone Based Firewall (inside to outside): done using CCP
My Nat is working perfectly fine, I configured the Outside to Inside Zone opening up the relevant ports, and all the right ports are opened, I used CCP to configure the Inside to Outside Zone because I am not sure of all the ports that would need to be opened and is pretty straight forward with CCP.
-My internal DNS server is 10.0.0.1 and configured properly because it is currently working with a proprietary Firewall.
-From inside to outside everything works fine.
-I can ping my DNS server from my router, I have opened port 53 for my DNS server on ZBF.
-I can Ping my website on my 10.0.0.52 webserver from my Router using its name ie ping www.aaa.com and it shows it to resolve to the correct Public IP and ping successful.
-From the Internet I can access the website from the external Ip address http://216.140.140.4 (10.0.0.52- 216.140.140.4) but not as http://www.aaa.com.
however cant get it with its name
-I dont have a Nat entry for my internal DNS server however I have opened up Port 53 for it on Zone Based Firewall.
Now I dont understand how to provide the static Translation as I dont need the DNS server to really access the Internet, or am i getting something wrong?
Please would appreciate your help.
Bellow is my configuration.
1) NAT:
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PRIVATE-INGRESS
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0/1
ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY
ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
!
ip access-list standard DYNAMIC-PRIMARY
deny 10.0.0.24
deny 10.0.0.25
deny 10.0.0.30
deny 10.0.0.16
deny 10.0.0.22
deny 10.0.0.23
deny 10.0.0.21
deny 10.0.0.44
deny 10.0.0.33
deny 10.0.0.58
deny 10.0.0.59
deny 10.0.0.61
deny 10.0.0.54
deny 10.0.0.52
deny 10.0.0.53
deny 10.0.0.216
deny 10.0.0.220
deny 10.0.0.230
deny 10.0.0.228
deny 10.0.0.251
permit 10.0.0.0 0.255.255.255
ip access-list standard DYNAMIC-SECONDARY
permit 10.0.0.0 0.255.255.255
ip access-list standard PRIMARY-NEXT-HOP
permit 216.140.140.1
ip access-list standard SECONDARY-NEXT-HOP
permit 216.150.150.254
!
ip sla 1
icmp-echo 216.140.140.1 source-ip 216.140.140.2
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 216.150.150.254 source-ip 216.150.150.4
threshold 2
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
!
!
!
!
route-map STATIC-NAT-PRIMARY permit 10
match ip next-hop PRIMARY-NEXT-HOP
!
route-map STATIC-NAT-PRIMARY deny 20
!
route-map STATIC-NAT-SECONDARY permit 10
match ip next-hop SECONDARY-NEXT-HOP
!
route-map STATIC-NAT-SECONDARY deny 20
!
route-map SECONDARY-NAT permit 10
match ip address DYNAMIC-SECONDARY
match ip next-hop SECONDARY-NEXT-HOP
!
route-map SECONDARY-NAT deny 20
!
route-map PRIVATE-INGRESS permit 10
set ip next-hop verify-availability 216.140.140.1 10 track 1
set ip next-hop verify-availability 216.150.150.254 20 track 2
!
route-map PRIVATE-INGRESS permit 11
!
route-map PRIMARY-NAT permit 10
match ip address DYNAMIC-PRIMARY
match ip next-hop PRIMARY-NEXT-HOP
!
route-map PRIMARY-NAT deny 20
2) OUTSIDE TO INSIDE ZONE (ZBF):
Zone security out-zone
zone security in-zone
zone security teleworker
interface gi0/1
Zone-member security out-zone
interface gi0/0
zone-member security in-zone
interface gi0/2
ip address 10.1.0.254 255.255.255.0
zone-member security teleworker
exit
ip name-server 10.0.0.1
ip port-map user-RDP port tcp 3389
ip port-map user-WEBB port tcp 8080
zone-pair security OUT-IN source out-zone destination in-zone
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
ip access-list extended OUTSIDE-TO-INSIDE-WEB
permit tcp any host 10.0.0.23 eq 80
permit tcp any host 10.0.0.59 eq 80
permit tcp any host 10.0.0.61 eq 80
permit tcp any host 10.0.0.228 eq 80
permit tcp any host 10.0.0.16 eq 80
permit tcp any host 10.0.0.30 eq 80
permit tcp any host 10.0.0.52 eq 80
permit tcp any host 10.0.0.55 eq 80
class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
match protocol http
match access-group name OUTSIDE-TO-INSIDE-WEB
ip access-list extended OUTSIDE-TO-INSIDE-FTP
permit tcp any host 10.0.0.52 eq 20 21
permit tcp any host 10.0.0.23 eq 20 21
permit tcp any host 10.0.0.59 eq 20 21
permit tcp any host 10.0.0.61 eq 20 21
permit tcp any host 10.0.0.228 eq 20 21
permit tcp any host 10.0.0.55 eq 20 21
class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
match protocol ftp
match access-group name OUTSIDE-TO-INSIDE-FTP
ip access-list extended OUTSIDE-TO-INSIDE-SMTP
permit tcp any host 10.0.0.52 eq 25
permit tcp any host 10.0.0.23 eq 25
permit tcp any host 10.0.0.59 eq 25
permit tcp any host 10.0.0.61 eq 25
permit tcp any host 10.0.0.228 eq 25
permit tcp any host 10.0.0.55 eq 25
class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
match protocol smtp
match access-group name OUTSIDE-TO-INSIDE-SMTP
ip access-list extended OUTSIDE-TO-INSIDE-DNS
permit tcp any host 10.0.0.23 eq 53
permit udp any host 10.0.0.23 eq 53
permit tcp any host 10.0.0.59 eq 53
permit udp any host 10.0.0.59 eq 53
permit tcp any host 10.0.0.61 eq 53
permit udp any host 10.0.0.61 eq 53
permit tcp any host 10.0.0.228 eq 53
permit udp any host 10.0.0.228 eq 53
permit tcp any host 10.0.0.52 eq 53
permit udp any host 10.0.0.52 eq 53
permit tcp any host 10.0.0.55 eq 53
permit udp any host 10.0.0.55 eq 53
permit tcp any host 10.0.0.1 eq 53
permit udp any host 10.0.0.1 eq 53
class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
match protocol dns
match access-group name OUTSIDE-TO-INSIDE-DNS
ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.59 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.228 eq 443
permit tcp any host 10.0.0.55 eq 443
permit tcp any host 10.0.0.53 eq 443
class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
match protocol https
match access-group name OUTSIDE-TO-INSIDE-HTTPS
ip access-list extended OUTSIDE-TO-INSIDE-RDP
permit tcp any host 10.0.0.52 eq 3389
permit tcp any host 10.0.0.23 eq 3389
permit tcp any host 10.0.0.59 eq 3389
permit tcp any host 10.0.0.61 eq 3389
permit tcp any host 10.0.0.228 eq 3389
permit tcp any host 10.0.0.58 eq 3389
permit tcp any host 10.0.0.33 eq 3389
permit tcp any host 10.0.0.25 eq 3389
permit tcp any host 10.0.0.44 eq 3389
permit tcp any host 10.0.0.251 eq 3389
permit tcp any host 10.0.0.21 eq 3389
permit tcp any host 10.0.0.22 eq 3389
permit tcp any host 10.0.0.24 eq 3389
permit tcp any host 10.0.0.30 eq 3389
permit tcp any host 10.0.0.230 eq 3389
permit tcp any host 10.0.0.55 eq 3389
permit tcp any host 10.0.0.220 eq 3389
permit tcp any host 10.0.0.25 eq 3389
class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
match protocol user-RDP
match access-group name OUTSIDE-TO-INSIDE-RDP
ip access-list extended OUTSIDE-TO-INSIDE-WEBB
permit tcp any host 10.0.0.23 eq 8080
permit tcp any host 10.0.0.228 eq 8080
class-map type inspect match-all OUTSIDE-TO-INSIDE-WEBB-CLASS
match protocol user-WEBB
match access-group name OUTSIDE-TO-INSIDE-WEBB
ip access-list extended TELEWORKER-TO-OUTSIDE
permit ip host 10.1.0.254 any
class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
match access-group name TELEWORKER-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-TELEWORKER
permit ip any host 10.1.0.254
class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
match access-group name OUTSIDE-TO-TELEWORKER
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-WEBB-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
inspect
policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
class type inspect TELEWORKER-TO-OUTSIDE-CLASS
inspect
policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
class type inspect OUTSIDE-TO-TELEWORKER-CLASS
inspect
zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY
3) INSIDE TO OUTSIDE ZONE CONFIGURATION (USING CCP)
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
exit
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
exit
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
exit
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
exit
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
exit
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
exit
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
exit
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
exit
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
exit
class-map type inspect match-all ccp-protocol-imap
match protocol imap
exit
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
exit
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
exit
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
exit
class-map type inspect aol match-any ccp-app-aol
match service text-chat
exit
class-map type inspect match-all ccp-protocol-http
match protocol http
exit
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
exit
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
exit
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
exit
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
exit
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
exit
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
exit
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
exit
class-map type inspect match-any ccp-sip-inspect
match protocol sip
exit
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
exit
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
exit
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
exit
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
exit
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
exit
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
exit
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
exit
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
exit
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
exit
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
exit
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
exit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
exit
class-map type inspect imap match-any ccp-app-imap
match invalid-command
exit
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
exit
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
exit
exit
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
exit
class type inspect msnmsgr ccp-app-msn
log
allow
exit
class type inspect ymsgr ccp-app-yahoo
log
allow
exit
class type inspect aol ccp-app-aol-otherservices
log
reset
exit
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
exit
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
exit
exit
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
exit
class type inspect http ccp-app-httpmethods
log
reset
exit
class type inspect http ccp-http-allowparam
log
allow
exit
exit
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
exit
class type inspect edonkey ccp-app-edonkeydownload
log
allow
exit
class type inspect fasttrack ccp-app-fasttrack
log
allow
exit
class type inspect gnutella ccp-app-gnutella
log
allow
exit
class type inspect kazaa2 ccp-app-kazaa2
log
allow
exit
exit
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
exit
exit
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
policy-map type inspect ccp-permit
class class-default
exit
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
exit
class type inspect ccp-protocol-http
no drop
inspect
service-policy http ccp-action-app-http
exit
class type inspect ccp-protocol-imap
no drop
inspect
service-policy imap ccp-action-imap
exit
class type inspect ccp-protocol-pop3
no drop
inspect
service-policy pop3 ccp-action-pop3
exit
class type inspect ccp-protocol-p2p
no drop
inspect
service-policy p2p ccp-action-app-p2p
exit
class type inspect ccp-protocol-im
no drop
inspect
service-policy im ccp-action-app-im
exit
class type inspect ccp-insp-traffic
no drop
inspect
exit
class type inspect ccp-sip-inspect
no drop
inspect
exit
class type inspect ccp-h323-inspect
no drop
inspect
exit
class type inspect ccp-h323annexe-inspect
no drop
inspect
exit
class type inspect ccp-h225ras-inspect
no drop
inspect
exit
class type inspect ccp-h323nxg-inspect
no drop
inspect
exit
class type inspect ccp-skinny-inspect
no drop
inspect
exit
exit
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
exit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
exit
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
exit
Comments
-
Optionscisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
Hey man, so you said you can reach the website by IP but not by name. Did you validate your DNS configuration? Because you said the IP stuff is working there is not a lot of reason to look toward your router. At least not until you know your DNS is correct.
-
Optionsahmedahmed
Member Posts: 41 ■■□□□□□□□□
cisco_trooper wrote: »Hey man, so you said you can reach the website by IP but not by name. Did you validate your DNS configuration? Because you said the IP stuff is working there is not a lot of reason to look toward your router. At least not until you know your DNS is correct.
Ya I got it working by creating a Static PAT to my DNS server.
Thanks