Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Should be easy - routing 80 and 443 on 2 LAN subnets

Status
Not open for further replies.
adcorbett

adcorbett

Technical User
Feb 11, 2011
2
US
Hello


I have 2 LAN subnets (192.168.2.0 and 10.0.2.0). Both are on the same router. The default route on the router points to our T1. I have redirected all port 80 and 443 traffic out to a different, faster link using a command like this on the LAN router:

access-list 105 permit tcp 192.168.2.0 0.0.0.255 any eq 443
access-list 105 permit tcp 192.168.2.0 0.0.0.255 any eq www

route-map IT_Internet permit 50
match ip address 105
set ip next-hop 192.168.2.202 (the PIX where the faster internet link is plugged in)

Here is the problem I am having - I have a web server running on 10.0.2.10 (has to be on port 80, can't change it) that needs to be accessed by clients on 192.168.2.0, but because of all my weird redirecting of 80 and 443 traffic, it wont work.

How can I get 80 and 443 traffic from one subnet to the other to stay local? I have attached a copy of my router config.

Thanks
 
Sort by date Sort by votes
If you deny traffic in that access list from the 192 subnet to the 10 subnet, then it should not be affected by the policy map and route normally?

access-list 104 deny tcp 192.168.2.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 105 permit tcp 192.168.2.0 0.0.0.255 any eq 443
access-list 106 permit tcp 192.168.2.0 0.0.0.255 any eq www

Lee.


LEEroy
MCNE6,CCNP,CWNA,CCSA,Project+
 
Upvote 0 Downvote
Actually, I would make it IP rather than TCP(see below)

Also just checked your router configs, you need this at the top of access-list 102, first statement

access-list 102 deny IP 192.168.2.0 0.0.0.255 10.0.2.0 0.0.0.255

Also looking

LEEroy
MCNE6,CCNP,CWNA,CCSA,Project+
 
Upvote 0 Downvote
Sorry, wish Tektips had an edit post.

Looking at your route-maps you need it exclude it for next hop 192.168.2.202, so it should be the top of access-list 104 i believe.

Either way it will be possible to sort it out.

LEEroy
MCNE6,CCNP,CWNA,CCSA,Project+
 
Upvote 0 Downvote
Hi Lee - thanks for helping out! I tried that just now and it still does not work. I tried it on access-list 104 as ip and as tcp, and the same on access-list 102. Neither worked. If I don't redirect the 80 and 443 traffic out to 192.168.2.202, I am able to get to 10.0.2.10 just fine. Any other thoughts?
 
Upvote 0 Downvote
I guess I'm not seeing why route-maps 40 and 50 are separated, they are marking the traffic in the same way (setting the next-hop). What I would do is combine 104 and 105 into one list and make it route-map seq 50. Then create a new ACL or reuse one and make it route-map seq 40. On this new acl match for traffic leaving 192.168.2.0 matching the the address of the web server, and then have the route-map set the outbound interface to g0/1.1.

Unless I'm missing something then that should work.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Pankaj88
  • Locked
  • Question
BGP Routing Clarification
Replies
0
Views
113
Pankaj88
Pankaj88
testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
116
testman1
testman1
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
173
iggsterman
iggsterman
Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
138
Lccarter
Lccarter
Gartech
  • Locked
  • Question
LAN Port Test Device
Replies
3
Views
124
ipohead
ipohead

Part and Inventory Search

Sponsor

Back
Top