Re: access web server behind NAT using public IP

amir_prat · ‎03-05-2004

Hi All

I would like to place a web server behind the NAT and get to it both from the outside and from the inside using a public IP address.

I used static NAT in order to do that.

It works well from the outside.

Private users behind the same NAT can not access the same web server using it's public IP but can using it's private one.

I can ping the web server using the public IP address but I can't get it to display a web page.

I'm using a 1721 router with 12.3 IOS version.

Static NAT looks like:

ip nat inside source static 192.168.0.22 xxx.xxx.xxx.xxx

Thanks

Amir

Georg Pauwen · ‎03-06-2004

Hello,

what are your inside and outside interfaces ? Can you post the full configuration ?

Regards,

Georg

amir_prat · ‎03-06-2004

Hi Georg

I have a fastethernet for the LAN (Behind NAT)

a serial for the internet

I also have a ethernet for DMZ.

Please find the configuration following (I omited or replaced some ip adresses):

version 12.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

aaa new-model

aaa authentication login userauthen group radius

aaa authorization network groupauthor local

aaa accounting network default start-stop group radius

aaa session-id common

ip subnet-zero

no ip source-route

!

no ip domain lookup

!

no ip bootp server

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group xxxxxxxxxxx

key xxxxxxxxx

dns xxxxxxxxxx

wins xxxxxxxxxx

domain xxxxxxxxxx

pool ippool

acl 108

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Loopback1

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0

ip address xxx.xxx.xxx.132 255.255.255.0

ip nat outside

half-duplex

!

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.1.5 255.255.255.0

ip nat inside

ip policy route-map nonat

speed auto

!

interface Serial0

description connected to Internet

ip address xxx.xxx.xxx.62 255.255.255.252

ip nat outside

service-module t1 remote-alarm-enable

crypto map clientmap

!

router rip

version 2

network 192.168.1.0

no auto-summary

!

ip local pool ippool 172.16.8.1 172.16.8.250

ip nat pool Router-natpool-1 xxx.xxx.xxx.135 xxx.xxx.xxx.142 netmask 255.255.255.240

ip nat inside source list 1 pool Router-natpool-1 overload

ip nat inside source static 192.168.1.5 xxx.xxx.xxx.129

ip nat inside source static 192.168.1.15 xxx.xxx.xxx.134

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

no ip http server

no ip http secure-server

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit udp any eq rip any eq rip

access-list 100 permit tcp any any eq www

access-list 101 deny ip any any

access-list 103 permit ip 192.168.1.0 0.0.0.255 172.16.8.0 0.0.0.255

access-list 108 permit ip 192.168.1.0 0.0.0.255 172.16.8.0 0.0.0.255

no cdp run

!

route-map nonat permit 11

match ip address 103

set ip next-hop 1.1.1.2

!

snmp-server community public RO

snmp-server enable traps tty

!

line con 0

exec-timeout 0 0

password 7 xxxxxxxxxxxx

line aux 0

line vty 0 4

password 7 xxxxxxxxxx

!

no scheduler allocate

!

end

The static NAT for the web server is:

ip nat inside source static 192.168.1.15 xxx.xxx.xxx.134

where xxx.xxx.xxx.134 is it's public address (not overloaded)

Thanks

Amir