ā09-05-2012 11:51 AM - edited ā03-11-2019 04:50 PM
Hello,
I have an issue with my 1841. I am trying to access an internal web server with the ip 192.168.0.253 from the internet but
connection gets refused.
I am not certain if its a nat issue or a firewall issue.
Can anyone provide me with some issue?
I am attaching part of the confuguration.
interface Dialer1
mtu 1492
ip address negotiated
ip access-group ADSL_Firewall in
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ipv6 traffic-filter ADSL_Firewall_v6 in
ppp authentication chap pap callin
ppp chap hostname kkouts
ppp chap password 7 000816010B095B5656
ppp pap sent-username kkouts password 7 10420C1E0A45425B55
ppp ipcp dns request accept
!
interface Dialer11
no ip address
no ip proxy-arp
no cdp enable
interface BVI1
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ipv6 address 2001:470:1F13:DA5::1/64
!
ip forward-protocol nd
ip http authentication local
!
!
ip dns server
ip nat inside source static tcp 192.168.0.253 80 interface Dialer1 80
ip nat inside source static udp 192.168.0.1 60000 interface Dialer1 60000
ip nat inside source route-map NAT_DIALER interface Dialer1 overload
ip nat inside source route-map NAT_MIKROTIK interface FastEthernet0/0 overload
ip default-network 91.132.1.0
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 10.2.101.1
!
ip access-list extended ADSL_Firewall
permit udp any host 91.132.216.248 eq domain
permit tcp any host 91.132.216.248 eq www log
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny udp any any eq snmp
deny ip 192.168.0.0 0.0.0.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.0.0.255 any
deny tcp any any lt 1024
permit gre any any
deny udp any any lt 1024
permit ip any any
ip access-list extended Telnet_VTY
permit tcp 192.168.0.0 0.0.0.255 any eq 22
deny ip any any
!
logging esm config
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map NAT_MIKROTIK permit 10
match ip address 1
!
route-map NAT_DIALER permit 10
match ip address 1
match interface Dialer1
Solved! Go to Solution.
ā09-06-2012 12:34 PM
Hello Karolos,
It means that the router is doing it's job so it could be a Server issue.
In order to make sure this is the case lets do a capture
ip access-list extended to_server-in
permit tcp any host 192.168.0.253 eq 80
permit ip any any
ip access-list extended server_to_out
permit tcp host 192.168.0.253 eq 80 any
permit ip any any
interface BVI1
ip access-group to_server-in out
ip access-group server_to_out in
Then attemtp to connect and provide me the following
show access-list to_server-in
show access-list server_to_out
Regards,
Remember to rate all the helpful posts, that is as important as a thanks
ā09-05-2012 12:09 PM
Hello Karolos,
I would guess 91.132.216.248 is interface dialer1
If you do a show access-list ADSL_Firewall
Do you see any hits on the ACL?
ā09-06-2012 12:27 PM
This is what i get ..
As you can see there are matches to the first rule which is the correct one.
I verified that the matches increment when i reload the page of an outside internet connected device.
Does this mean its a routing / nat issue?
10 permit tcp any host 91.132.216.248 eq www (86 matches)
30 permit udp any host 91.132.216.248 eq domain
70 deny ip 127.0.0.0 0.255.255.255 any
80 deny ip 224.0.0.0 15.255.255.255 any
90 deny udp any any eq snmp
100 deny ip 192.168.0.0 0.0.0.255 any
110 deny ip 172.16.0.0 0.0.255.255 any
120 deny ip 10.0.0.0 0.0.0.255 any
130 deny tcp any any lt 1024 (17 matches)
140 permit gre any any
146 permit ip any any (3350 matches)
150 deny udp any any lt 1024 (5 matches)
ā09-06-2012 12:34 PM
Hello Karolos,
It means that the router is doing it's job so it could be a Server issue.
In order to make sure this is the case lets do a capture
ip access-list extended to_server-in
permit tcp any host 192.168.0.253 eq 80
permit ip any any
ip access-list extended server_to_out
permit tcp host 192.168.0.253 eq 80 any
permit ip any any
interface BVI1
ip access-group to_server-in out
ip access-group server_to_out in
Then attemtp to connect and provide me the following
show access-list to_server-in
show access-list server_to_out
Regards,
Remember to rate all the helpful posts, that is as important as a thanks
ā09-07-2012 04:33 AM
Thanks again for your valuable assistance... below is the output of the show access-list in and out directives after modifying the config as you requested.
Aeon#show access-lists to_server_in
Extended IP access list to_server_in
10 permit tcp any host 192.168.0.253 eq www (3 matches)
20 permit ip any any (168 matches)
Aeon#show access-lists to_server_out
Extended IP access list to_server_out
10 permit tcp host 192.168.0.253 eq www any
20 permit ip any any (464 matches)
Also a trace from my workstation. (web server has also established and tested connectivity to the web).
Translating "www.in.gr"...domain server (91.132.4.4) [OK]
Type escape sequence to abort.
Tracing the route to www.in.gr (212.205.159.143)
1 * * *
2 91.132.2.122 36 msec 32 msec 32 msec
3 otenet.gr-ix.gr (83.212.8.4) 32 msec 32 msec 32 msec
4 athe-crsa-athe7609k1-1.backbone.otenet.net (79.128.227.17) 32 msec 36 msec 32 msec
5 nyma-crsa-athe-crsa-1.backbone.otenet.net (79.128.224.34) 36 msec 36 msec 36 msec
6 maro7609b-nyma-crsa-1.backbone.otenet.net (79.128.226.38) 32 msec 32 msec 32 msec
7 79.128.252.222 32 msec 32 msec 32 msec
8 79.128.252.222 !A * *
ā09-07-2012 04:40 AM
You where correct. It was a server issue. The server is a NAS device. After serching the security features i found that there was an allow only 192.168.0.0/24 option in the connection settings thus preventing any connection comming from outside the router to be established.
Thanks for your guidance and efford again.
ā09-07-2012 09:21 AM
Hello Karolos,
Yes, after checking the ACL's I could see the packets going out the inside interface to the server but no reply.
Check the ACL hits so you can troubleshoot that for the nex time.
Remember to rate all of the answers, for the community that is as important as a thanks
Glad I could help
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide