06-12-2019 05:49 PM
Hello, I am new at this, and I try to configure an HTTP server to be accessible from an outside network in Packet Tracer.
Its pretty hard to describe, so I will try the best I can.
At the moment all my seting are working from inside my network, the problem I got is the outside client send the dns request as normal and receive it, but never send a HTTP request for the website and I get a request time out.
I also incule in this tread my .pkt file and a screenshot of my dns server and a screenshot of my network.
there is my firewall config, and I am willing to discust with you si I can learn and fix my problem.
Firewall#show running
: Saved
:
ASA Version 9.6(1)
!
hostname Firewall
domain-name climoilou.ca
names
!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif DNS
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif Web
security-level 100
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif Lab1
security-level 100
ip address 10.0.3.1 255.255.255.0
!
interface GigabitEthernet1/5
nameif Lab2
security-level 100
ip address 10.0.4.1 255.255.255.0
!
interface GigabitEthernet1/6
nameif Lab3
security-level 100
ip address 10.0.5.1 255.255.255.0
!
interface GigabitEthernet1/7
nameif Lab4
security-level 100
ip address 10.0.6.1 255.255.255.0
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network inside-net
subnet 10.0.1.0 255.255.255.0
!
route Outside 0.0.0.0 0.0.0.0 10.0.0.1 1
!
access-list group extended permit tcp any any eq domain
access-list group extended permit tcp any any eq www
access-list group extended permit tcp any any eq smtp
access-list group extended permit tcp any eq domain any
access-list group extended permit udp any eq domain any
access-list group extended permit udp any any eq domain
access-list group extended permit icmp any any echo
access-list group extended permit icmp any any echo-reply
access-list group extended permit tcp any any eq pop3
!
!
access-group group in interface Outside
!
aaa authentication ssh console LOCAL
!
!
username admin password 4IncP7vTjpaba2aF encrypted
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect http
inspect icmp
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
!
service-policy global_policy global
!
telnet timeout 5
ssh 10.0.1.0 255.255.255.0 DNS
ssh 203.1.2.0 255.255.255.0 Outside
ssh timeout 10
!
dhcpd address 10.0.3.100-10.0.3.131 Lab1
dhcpd dns 10.0.1.50 interface Lab1
dhcpd enable Lab1
!
dhcpd address 10.0.4.100-10.0.4.131 Lab2
dhcpd dns 10.0.1.50 interface Lab2
dhcpd enable Lab2
!
dhcpd address 10.0.5.100-10.0.5.131 Lab3
dhcpd dns 10.0.1.50 interface Lab3
dhcpd enable Lab3
!
dhcpd address 10.0.6.100-10.0.6.131 Lab4
dhcpd dns 10.0.1.50 interface Lab4
dhcpd enable Lab4
Solved! Go to Solution.
06-12-2019 07:12 PM - edited 06-12-2019 07:12 PM
My friend,
Change the NAT ACL on the s0/0/0 interface to input to overcome the problem on router R1:
interface Serial0/0/0
ip address 203.1.1.1 255.255.255.0
ip nat inside
06-12-2019 06:02 PM - edited 06-12-2019 06:43 PM
PC4 tires to access website ? left server or right side? yo have 2 http servers but 1 dns.
what is name of site u set it up on http?
picture does not match PT file. PC4 is connected instead of server 0 ( disconnected ) - assuming PC is connected.
I got ping ok to both servers.
06-12-2019 06:27 PM - edited 06-12-2019 06:27 PM
Yes I know I havent deleted the useless server 0 I was using it for testing purpose.
My http server is the server 10.0.2.50 and my dns server 10.0.1.50.
Pc4 is only used to test my outside configuration.
The website is climoilou.ca
Again is only a testing domain name.
Also I just saw I havent changed the IP address in my DNS server, (I had changed it for tester purpose by setting my web server on my dns server) and by changing it back to the right http server I still have the problem.
I will also include an updated .pkt file.
Thanks you alot for your time and your response! :)
06-12-2019 06:45 PM
06-12-2019 06:31 PM - edited 06-12-2019 07:00 PM
Hi @Drakestes,
What you should do is remove it from the access list eq DOMAIN since in the DNS it is included in the HTTP protocol.
no access-list group extended permit tcp any any eq domain
Enough with:
access-list group extended permit tcp any any eq www
I leave in connection of the ports valid by the IANA: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
I hope it helps
06-12-2019 06:58 PM - edited 06-12-2019 07:05 PM
Hello, I treid it, but the client was unable to reach dns server, so I put it back on (only in udp tho) and addes port 80 un udp also, but my client still dont generate an http trafic (it still block after the dns one and I get a time out)
I tried to change my client to a server with his own dns setting (that will lead to my http server) but I get the same problem.
There is my new access-list.
access-list group extended permit tcp any any eq www
access-list group extended permit tcp any any eq smtp
access-list group extended permit icmp any any echo
access-list group extended permit icmp any any echo-reply
access-list group extended permit tcp any any eq pop3
access-list group extended permit udp any any eq www
access-list group extended permit udp any any eq domain
Thanks alot for your time! :)
06-12-2019 07:12 PM - edited 06-12-2019 07:12 PM
My friend,
Change the NAT ACL on the s0/0/0 interface to input to overcome the problem on router R1:
interface Serial0/0/0
ip address 203.1.1.1 255.255.255.0
ip nat inside
06-12-2019 07:26 PM
You solved all my problem!
I would have not think about the router config, I was sure it was my firewall the problem!
I would never thank you enough for helping me to fix this!
You are helping me to get better! :)
I wish you good fortune and have a good night/day! :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide