cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9194
Views
10
Helpful
7
Replies

Packet-Tracer problem with HTTP server

Drakestes
Beginner
Beginner

Hello, I am new at this, and I try to configure an HTTP server to be accessible from an outside network in Packet Tracer.
Its pretty hard to describe, so I will try the best I can.
At the moment all my seting are working from inside my network, the problem I got is the outside client send the dns request as normal and receive it, but never send a HTTP request for the website and I get a request time out.
I also incule in this tread my .pkt file and a screenshot of my dns server and a screenshot of my network.
there is my firewall config, and I am willing to discust with you si I can learn and fix my problem.


Firewall#show running

 

: Saved

 

:

 

ASA Version 9.6(1)

 

!

 

hostname Firewall

 

domain-name climoilou.ca

 

names

 

!

 

interface GigabitEthernet1/1

 

nameif Outside

 

security-level 0

 

ip address 10.0.0.2 255.255.255.0

 

!

 

interface GigabitEthernet1/2

 

nameif DNS

 

security-level 100

 

ip address 10.0.1.1 255.255.255.0

 

!

 

interface GigabitEthernet1/3

 

nameif Web

 

security-level 100

 

ip address 10.0.2.1 255.255.255.0

 

!

 

interface GigabitEthernet1/4

 

nameif Lab1

 

security-level 100

 

ip address 10.0.3.1 255.255.255.0

 

!

 

interface GigabitEthernet1/5

 

nameif Lab2

 

security-level 100

 

ip address 10.0.4.1 255.255.255.0

 

!

 

interface GigabitEthernet1/6

 

nameif Lab3

 

security-level 100

 

ip address 10.0.5.1 255.255.255.0

 

!

 

interface GigabitEthernet1/7

 

nameif Lab4

 

security-level 100

 

ip address 10.0.6.1 255.255.255.0

 

!

 

interface GigabitEthernet1/8

 

no nameif

 

no security-level

 

no ip address

 

shutdown

 

!

 

interface Management1/1

 

management-only

 

no nameif

 

no security-level

 

no ip address

 

!

 

object network inside-net

 

subnet 10.0.1.0 255.255.255.0

 

!

 

route Outside 0.0.0.0 0.0.0.0 10.0.0.1 1

 

!

 

access-list group extended permit tcp any any eq domain

 

access-list group extended permit tcp any any eq www

 

access-list group extended permit tcp any any eq smtp

 

access-list group extended permit tcp any eq domain any

 

access-list group extended permit udp any eq domain any

 

access-list group extended permit udp any any eq domain

 

access-list group extended permit icmp any any echo

 

access-list group extended permit icmp any any echo-reply

 

access-list group extended permit tcp any any eq pop3

 

!

 

!

 

access-group group in interface Outside

 

!

 

aaa authentication ssh console LOCAL

 

!

 

!

 

username admin password 4IncP7vTjpaba2aF encrypted

 

!

 

class-map inspection_default

 

match default-inspection-traffic

 

!

 

policy-map global_policy

 

class inspection_default

 

inspect http

 

inspect icmp

 

policy-map type inspect dns preset_dns_map

 

parameters

 

message-length maximum 512

 

policy-map global-policy

 

!

 

service-policy global_policy global

 

!

 

telnet timeout 5

 

ssh 10.0.1.0 255.255.255.0 DNS

 

ssh 203.1.2.0 255.255.255.0 Outside

 

ssh timeout 10

 

!

 

dhcpd address 10.0.3.100-10.0.3.131 Lab1

 

dhcpd dns 10.0.1.50 interface Lab1

 

dhcpd enable Lab1

 

!

 

dhcpd address 10.0.4.100-10.0.4.131 Lab2

 

dhcpd dns 10.0.1.50 interface Lab2

 

dhcpd enable Lab2

 

!

 

dhcpd address 10.0.5.100-10.0.5.131 Lab3

 

dhcpd dns 10.0.1.50 interface Lab3

 

dhcpd enable Lab3

 

!

 

dhcpd address 10.0.6.100-10.0.6.131 Lab4

 

dhcpd dns 10.0.1.50 interface Lab4

 

dhcpd enable Lab4

1 Accepted Solution

Accepted Solutions

My friend,
Change the NAT ACL on the s0/0/0 interface to input to overcome the problem on router R1:

interface Serial0/0/0
ip address 203.1.1.1 255.255.255.0
ip nat inside

View solution in original post

7 Replies 7

Martin L
VIP Advisor VIP Advisor
VIP Advisor


PC4 tires to access website ? left server or right side?  yo have 2 http servers but 1 dns.

what is name of site u set it up on http?
picture does not match PT file. PC4 is connected instead of server 0 ( disconnected ) - assuming PC is connected.

I got ping ok to both servers.

Yes I know I havent deleted the useless server 0 I was using it for testing purpose.
My http server is the server 10.0.2.50 and my dns server 10.0.1.50.
Pc4 is only used to test my outside configuration.
The website is climoilou.ca
Again is only a testing domain name. 
Also I just saw I havent changed the IP address in my DNS server, (I had changed it for tester purpose by setting my web server on my dns server) and by changing it back to the right http server I still have the problem.
I will also include an updated .pkt file.

Thanks you alot for your time and your response! :)


i was editing my post for too long while u replied, please read again , i will take a look later , no time now, sorry

Edwin Portillo
Collaborator
Collaborator

Hi @Drakestes,

What you should do is remove it from the access list eq DOMAIN since in the DNS it is included in the HTTP protocol.

no access-list group extended permit tcp any any eq domain

 

Enough with:

access-list group extended permit tcp any any eq www

 

dns.PNG

I leave in connection of the ports valid by the IANA: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

 

I hope it helps

Hello, I treid it, but the client was unable to reach dns server, so I put it back on (only in udp tho) and addes port 80 un udp also, but my client still dont generate an http trafic (it still block after the dns one and I get a time out)
I tried to change my client to a server with his own dns setting (that will lead to my http server) but I get the same problem.
There is my new access-list.

access-list group extended permit tcp any any eq www

access-list group extended permit tcp any any eq smtp

access-list group extended permit icmp any any echo

access-list group extended permit icmp any any echo-reply

access-list group extended permit tcp any any eq pop3

access-list group extended permit udp any any eq www

access-list group extended permit udp any any eq domain


Thanks alot for your time! :)

My friend,
Change the NAT ACL on the s0/0/0 interface to input to overcome the problem on router R1:

interface Serial0/0/0
ip address 203.1.1.1 255.255.255.0
ip nat inside

You solved all my problem!
I would have not think about the router config, I was sure it was my firewall the problem!
I would never thank you enough for helping me to fix this!
You are helping me to get better! :)

I wish you good fortune and have a good night/day! :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers