Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
6
Replies

837 router not allowing http traffice

mattwestby
Level 1
Level 1

‎11-11-2004 01:25 AM - edited ‎03-02-2019 07:52 PM

I have a 837 router with a www server on the internal LAN which i can access no problem, when i try to access the www server externally i get no response from it. I attach a copy of my running config.

When i turn off the firewall feature in the CRWS software i can access the www server no problem from the outside. I have been told that there is nothing wrong with the access lists or natting but it still isnt working. I know there is nothing wrong with my www server. Pleae can someone help.

Thanks

Labels:
Preview file
5 KB
0 Helpful
6 Replies 6

mwall
Level 1
Level 1

‎11-11-2004 12:38 PM

First time poster, bear with me.

Couple thoughts.

Remove this line from the inspect statements?

ip inspect name myfw http

No need to inspect http if you are already inspecting tcp.

I don't know CRWS, so I am not sure what happens when you unapply the firewall via CRWS. Does the access list get unapplied as well?

Basic firewall will block all incoming packets, unless you open them up. Your acl 111 does show you have the tcp www port open, but obviously something is wrong, either with the acl or with nat.

You can run the following debugs to help see what is happening.

debug ip nat

debug ip packet detail

Note that debugging ip packet detail is pretty exhaustive, so use it sparingly, or setup an access list and debug off that acl.

I see other ports allowed into the web server, can you access the same server based off those ports?

I vaguely recall that with port mapping, sometimes we can't get traffic to come into the router unless the web server has sent some traffic up, and the nat translation is in use.

Show ip nat trans * would be helpful as well.

Let me know,

Mike

0 Helpful

spremkumar
Level 9
Level 9

‎11-16-2004 07:31 PM

hi

from ur post u r having 2 blocks of ip addresses configured under ur ethernet and overloading the secondary address configured.

i feel ur webserver comes under the secondary ip block,while trying to access ur webserver from outside world try to chek whether ur getting active NAT translation sessions or not.

if ur not getting any active translation sessions then i would suggest to rearrange the secondary and primary address block if u dont have any config or structural constraints in doing so.

just swap the primary and secondary address blcoks under ur ethernet and chek .

from my personal exp i did face lot of problems with NAT and secondary ip block..

regds

0 Helpful

mattwestby
Level 1
Level 1
In response to spremkumar

‎11-17-2004 02:58 AM

Thanks for the reply

could i take out the address 10.10.10.1 completely as it doesnt reflect anything on our network.

0 Helpful

spremkumar
Level 9
Level 9
In response to mattwestby

‎11-17-2004 07:17 PM

Hi

To be cautious and on safer side get into console and swap the primary and secondary ip address thts it..

regds

0 Helpful

mattwestby
Level 1
Level 1
In response to spremkumar

‎11-18-2004 02:23 AM

Hi

I took out the 10.10.10.1 address and made the 10.0.0.1 the only address on the interface. All seems ok except it still isnt allowing http trafic, Im getting matches on my access list though, but i got matches before. This is very strange

0 Helpful

mwall
Level 1
Level 1
In response to mattwestby

‎11-18-2004 07:59 AM

Did you try to remove the line inspecting http?

ip inspect name myfw http

Mike

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card