Why can't I see my website?

[colthirtytwo]

Why can't I see my website or my mail server from inside my network going out. Like with the url. I can only see it by the internal address. It used to work fine with my little linksys router, but now I'm trying to learn cisco. I can ping both by name from within my network.....i.e

http://www."blah".com

and mail."blah".com, and if you are outside my network it works just fine. I'm new.....so be gentle.

version 12.0
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!

!
!
!
!
!
ip subnet-zero
no ip finger
ip name-server xxx.xx.xxx.x
ip name-server xxx.xx.xxx.x
!
!
!
interface Ethernet0/0
ip address 12.(external) 255.255.255.0
ip access-group 105 out
no ip directed-broadcast
ip nat outside
no ip mroute-cache
no cdp enable
!
interface Ethernet0/1
ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no ip mroute-cache
no cdp enable
!
ip default-gateway 12.xxx.xxx.xxx
ip nat pool global 12.(external) 12.(external) netmask 255.255.255.0
ip nat inside source list 5 pool global overload
ip nat inside source static tcp 192.168.0.11 80 12.(external) 80 extendable
ip nat inside source static tcp 192.168.0.11 25 12.(external) 25 extendable
ip nat inside source static tcp 192.168.0.11 110 12.(external) 110 extendable
no ip classless
ip route 0.0.0.0 0.0.0.0 12.(gateway)



ip route 192.168.0.0 255.255.0.0 192.168.0.2
ip route 192.168.0.0 255.255.255.0 12.(gateway)
no ip http server
!
access-list 105 permit ip any any
access-list 105 deny ip 192.168.0.0 0.0.0.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.255.255
no dialer-list 1 protocol ip permit

no cdp run
!
password
login
transport input pad v120 telnet rlogin udptn
line aux 0
line vty 0 4
password
login
!
end

 

[colthirtytwo]

Puttng this back on top.

 

[wybnormal]

two problems jump out..

1: dump the defualt gateway setting.. this is only used when routing is disabled like on a CS-500 termserver which turns off routing by default. You have both this and the ip route 0.0.0.0 0.0.0.0 Just use the default ip route.

2: The access list 105 is backwards. The deny should be first.. then permit whatever. The access list works like a compiler. It works at one line at a time. When the rule is met, the process exits. So your first line si permit everything.. the requirement is met and the list exits when everything passing. You never get to the deny. Remember there is a *hidden* deny all at the end of all access lists that doesnt show up.

A third issue is the *no ip classless* command. that makes everything classful so unless you are using only default subnet masking, this will be a problem. This command is rarely used in new network design. I've seen it only in legacy networks with older devices that can not speak classless subnets.

See this clip:
IP Classless

Where the ip classless configuration command falls within the routing and forwarding processes is often confusing. In reality, IP classless only affects the operation of the forwarding processes in IOS; it doesn't affect the way the routing table is built. If IP classless isn't configured (using the no ip classless command), the router won't forward packets to supernets

http://www.cisco.com/warp/public/105/21.html

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[colthirtytwo]

I have fixed everything, but the "default gateway setting". I assume you mean to remove "ip route 0.0.0.0 0.0.0.0 12.(gateway)" ? Do I just remove that line?....or replace it with something else?

 

[wybnormal]

No.. leave the ip route 0.0.0.0 0.0.0.0 and remove the default-gateway line...

ip default-gateway 12.xxx.xxx.xxx ; remove this line..

no ip classless

ip route 0.0.0.0 0.0.0.0 12.(gateway); keep this line

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[colthirtytwo]

Still doesn't work. Took out "no ip classless" and removed "ip default-gateway 12.xxx.xxx.xxx". Still can't see myself......unless I use my dialup connection on my laptop.....or just get outside of my network.

 

[wybnormal]

I would not expect you to work just yet. First thing was clean up the *in your face errors*.. now we can dig a bit deeper.

Why the NAT pool and then overloading the interface for PAT?

Do you need the NAT pool? I doubt it... most companies do not need to do this.. nor home users. The normal way is to setup a single IP address and the NAT against that... to more precise, you would use PAT against tha single IP address. This is the point of the global overloading.

This snippet is from a small network with over 20 workstations on and a static NAT map for the webmail server

!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.150.4 81 192.168.1.2 81 extendable ; this points all port 81 traffic to a single IP address of 192.168.150.4
ip classless

Here is the interfaces E0 and E1. E1 is the OUTSIDE interface:

interface Ethernet0
ip address 192.168.150.1 255.255.255.0
no ip directed-broadcast
ip nat inside ; enables NAT for inside
no cdp enable
!
interface Ethernet1
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
ip nat outside ; enables NAT for outside
no cdp enable

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[colthirtytwo]

I tried removing the NAT pool, but it's in use. I guess I have to rebuild my configuration....again.

 

[wybnormal]

Just shut down the ethernet interfaces.. and now you can change the NAT around.

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[colthirtytwo]

I've got the traffic for port 80 directed to the correct ip addy......so all I have to do is remove "ip nat pool global 12.(external) 12.(external) netmask 255.255.255.0" ....correct?

P.S.
Thanks for taking the time to help me with this.

 

[wybnormal]

Yep.. the snippets I posted came from a working config of a 2514 on Cable... mine

MikeS Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu