topic Re: forwading port 8008 to an webserver in Network Security

forwading port 8008 to an webserver

it-interschalt — Mon, 11 Mar 2019 18:01:41 GMT

Hello there,

we use some cisco 2811 router and I have forward some websites witch will be use via port 8008 but it dos not work.

I try it with:

ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008

can someone tell me what is wrong? and maybe can someone tell me how can I debug the traffic with should pass port 8008?

Thank you for your help!

Michael

Re: forwading port 8008 to an webserver

Jennifer Halim — Mon, 21 Jun 2010 10:30:15 GMT

I assume that fa0/1 is the external interface (pls make sure that you configured "ip nat outside"), and the interface of 192.168.1.x subnet has "ip nat inside" configured. Also, do you have access-list configured on the external interface? if you do, you would need to allow traffic to fa0/1 interface on port 8008.

Please share the config if the above has been checked.

Re: forwading port 8008 to an webserver

it-interschalt — Wed, 01 Sep 2010 06:39:11 GMT

Hello halijenn,

thank you for your anwser - and sorry for delay!

at the moment the port 8008 is doing fine but only if I try to reach the server via port 8008 from the internet. If I try to reach them from a ather site office it doese not work.

the access-list allows all trafic from the site office (connected via VPN), and I can ping the server and I can also connect them via share.

can it be that the ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008 is only for connection from the internet?

If yes! - what can I do that we can connect the server from our site office?

Best wishes

Michael

Re: forwading port 8008 to an webserver

Jennifer Halim — Wed, 01 Sep 2010 06:55:41 GMT

Yes, you are right. Those are for the internet because on VPN you normally do not specify the public subnet/ip address in the crypto ACL.

You would need to add crypto ACL for your VPN tunnel between the FastEthernet0/1 interface IP towards remote LAN and vice versa.

Re: forwading port 8008 to an webserver

it-interschalt — Wed, 01 Sep 2010 07:08:19 GMT

ok?

how can I add a crypto ACL - sorry for this question but I'm not so firm in configuring spezial thinks at the cisco router.

Do you have an short how to for me?

best wishes

Michael

Re: forwading port 8008 to an webserver

Jennifer Halim — Thu, 02 Sep 2010 01:45:39 GMT

Can you post the specific vpn configuration and the corresponding crypto ACL?

Re: forwading port 8008 to an webserver

it-interschalt — Tue, 07 Sep 2010 05:52:20 GMT

hello halijenn,

I hope I have the right thing's you like to know.

---

crypto map SDM_CMAP_1 4 ipsec-isakmp
set peer public IP
set transform-set ESP-AES-256-SHA
match address 170

access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.2.0 0.0.255.255
access-list 170 permit ip 192.168.1.0 0.0.255.255 192.168.2.0 0.0.255.255
access-list 170 permit ip 192.168.1.0 0.0.255.255 192.168.17.0 0.0.0.255

---

If you need any more - please let me know that.

Best wishes

Michael

Re: forwading port 8008 to an webserver

Jennifer Halim — Tue, 07 Sep 2010 11:49:24 GMT

Here is what you would need to add:

access-list 170 permit ip host 192.168.2.0 0.0.255.255
access-list 170 permit ip host 192.168.17.0 0.0.0.255

You would also need to configure mirror image ACL on the other side of the VPN tunnel device.

Re: forwading port 8008 to an webserver

it-interschalt — Tue, 07 Sep 2010 12:28:35 GMT

I have added the lines at the router

---

access-list 170 permit ip host 192.168.2.0 0.0.255.255
access-list 170 permit ip host 192.168.17.0 0.0.0.255

---

at the remote site witch configuration do I need?

info the access-list also 170!

1.?

access-list 170 permit ip host 192.168.2.0 0.0.255.255
access-list 170 permit ip host 192.168.17.0 0.0.0.255

or 2.?

access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.2.0 0.0.255.255
access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.17.0 0.0.0.255

or 3.?

access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.1.0 0.0.255.255 - IPs from the main site?
access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.16.0 0.0.0.255 - IPs from the main site?
--

or 4.?

access-list 170 permit ip host 192.168.1.0 0.0.255.255 - IPs from the main site?
access-list 170 permit ip host 192.168.16.0 0.0.0.255 - IPs from the main site?
--

Re: forwading port 8008 to an webserver

Jennifer Halim — Tue, 07 Sep 2010 12:37:47 GMT

On the remote site, you would need to configure mirror image ACL as follows:

access-list 170 permit ip 192.168.2.0 0.0.255.255 host
access-list 170 permit ip 192.168.17.0 0.0.0.255 host

You would need to also clear the IPSEC SA on both ends after the configuration (clear cry sa).

Re: forwading port 8008 to an webserver

it-interschalt — Tue, 07 Sep 2010 12:52:10 GMT

so here are the actual access lists fron the running config

Site 1 (main were the porp 8008 should be reachable)
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip host 192.168.16.1 192.168.17.0 0.0.0.255
access-list 170 permit ip host 192.168.16.1 192.168.2.0 0.0.0.255

Site 2 (remote were I try to connect form via port 8008)
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 host 192.168.16.1
access-list 170 permit ip 192.168.2.0 0.0.0.255 host 192.168.16.1

and this is not working!

what did I do wrong?

Re: forwading port 8008 to an webserver

Jennifer Halim — Tue, 07 Sep 2010 13:19:05 GMT

I assume that fa0/1 should be a public IP Address, right? since you have configured port forwarding for that via the NAT statement:

ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008

Can you share the output of:

show run int fa0/1

Is this webserver accessible from the Internet?

I assume that you would like access to the webserver from both the Internet as well as the VPN, right?

Re: forwading port 8008 to an webserver

it-interschalt — Wed, 08 Sep 2010 06:34:17 GMT

Yes you are right!

the fa0/1 is public - sorry I din't read correctly

and I like to connect the webserver from both sites (Internet andVPN)

Now I correct the mistake but it din't work again.

I can ping the webserver . I can reach a website (port 80) but I can't reach the website witch scould be reachable via Port 8008

Re: forwading port 8008 to an webserver

Jennifer Halim — Wed, 08 Sep 2010 06:38:34 GMT

Is it working from the internet and failing from the VPN? or it's not working from both VPN and Internet?

If it's not working from the VPN, can you please make sure that you have exactly the mirror image ACL on both sides, and have also clear the crypto tunnels (clear crypto sa).

Re: forwading port 8008 to an webserver

it-interschalt — Wed, 08 Sep 2010 06:47:33 GMT

it is working from the internet - and do not work from the vpn site

my actual config are

Site 1 (main were the porp 8008 should be reachable)
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip host public IP from this router 192.168.17.0 0.0.0.255
access-list 170 permit ip host public IP from this router 192.168.2.0 0.0.0.255

Site 2 (remote were I try to connect form via port 8008)
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 host public IP from the router Site 1
access-list 170 permit ip 192.168.2.0 0.0.0.255 host public IP from the router Site 1,

and now I send the command clear crypto sa at both router

and the website is corrently still not reachable

Re: forwading port 8008 to an webserver

Jennifer Halim — Wed, 08 Sep 2010 06:58:41 GMT

Can you share the output of "show cry ipsec sa" from both routers.

Re: forwading port 8008 to an webserver

Jennifer Halim — Wed, 08 Sep 2010 06:59:19 GMT

and also, you might want to check the NAT exemption on the remote router.

Can you share the NAT statement, and the corresponding ACL on the remote router?