Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
1
Replies

Issue with NAT, ACL. Cannot connect to web server from inside network.

squinn2000
Level 1
Level 1

‎02-13-2003 07:57 PM - edited ‎02-20-2020 09:20 PM

Have been working on this 2621xm IOS 12.1(18)router config for some time and have most working but now cannot acess the webserver of ip 192.168.3.xx. I have NAT inside source static tcp 192.168.3.xx 80 65.32.15.xx 80 extendable in list. Strange.....It can be accessed correctly from the internet but not from the inside of the network. Cannot connect from the inside using the ip address of the webserver nor the http://www.domainname.com. The 65.32.15.xx is also the outside interface of the router but should nat to private address of 192.168.3.xx:80 which it does from the internet but not from inside network.

My config is as follows. Any help to get the NAT or route correct so I can connect internally and externally will be appreciated greatly!!!

I realize I have a lot of trash in the acl and it is not very secure. My intention was to get hings "up" and then begin securing it more.

thanks!! Please help!! I've xed out some of the ips for some security.

Current configuration : 3051 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname rtrname

enable secret 5 $1$nKAq$GvomCOuYV.KRYYSgOJX.p0

enable password 7 133505431101267B3F2720

!

!

!

!

!

ip subnet-zero

ip name-server 65.32.x.65

ip name-server 65.32.x.70

interface FastEthernet0/0

description Private Interface

ip address 192.168.x.1 255.255.255.0

ip access-group 100 in

ip nat inside

no ip mroute-cache

speed 100

full-duplex

no cdp enable

!

interface FastEthernet0/1

description Public Interface

ip address 65.32.x.86 255.255.255.192 secondary

ip address 65.32.x.87 255.255.255.192

ip access-group 101 in

ip access-group 100 out

ip nat outside

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

ip nat inside source list 7 interface FastEthernet0/1 overload

ip nat inside source static 192.168.x.159 65.x.15.86

ip nat inside source static tcp 192.168.x.11 20 65.32.x.87 20 extendable

ip nat inside source static tcp 192.168.x.11 21 65.32.x.87 21 extendable

ip nat inside source static tcp 192.168.x.11 80 65.32.x.87 80 extendable

ip nat inside source static tcp 192.168.x.11 16893 65.32.x.87 16893 extendable

ip nat inside source static tcp 192.168.x.13 16894 65.32.x.87 16894 extendable

ip nat inside source static tcp 192.168.x.12 16895 65.32.x.87 16895 extendable

ip nat inside source static tcp 192.168.x.11 24176 65.32.x.87 24176 extendable

ip nat inside source static tcp 192.168.x.13 24177 65.32.x.87 24177 extendable

ip nat inside source static tcp 192.168.x.12 24178 65.32.x.87 24178 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 65.32.x.65 permanent

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

ip route 192.168.x.0 255.255.255.0 FastEthernet0/1 permanent

no ip http server

!

access-list 7 permit 192.168.x.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 permit gre any host 65.32.x.86

access-list 101 permit ip 192.168.x.0 0.0.0.255 any

access-list 101 permit tcp any host 65.32.x5.87 eq www

access-list 101 permit tcp any host 65.32.x.87 eq 16893

access-list 101 permit tcp any host 65.32.x.87 eq 16894

access-list 101 permit tcp any host 65.32.x.87 eq 16895

access-list 101 permit tcp any host 65.32.x.87 eq 24176

access-list 101 permit tcp any host 65.32.x.87 eq 24177

access-list 101 permit tcp any host 65.32.x.87 eq 24178

access-list 101 permit tcp any host 65.32.x.87 eq ftp

access-list 101 permit tcp any host 65.32.x.87 eq ftp-data

access-list 101 permit tcp any host 65.32.x.86 eq 1723

access-list 101 permit tcp any host 65.32.x.86

access-list 101 permit tcp any eq www host 65.32.x.87

access-list 101 permit tcp any any established

access-list 101 permit udp any eq domain host 65.32.x.87

no cdp run

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

password 7 wjrbnfibvnvaebv

login

end.

Labels:
0 Helpful
1 Reply 1

raymong
Level 4
Level 4

‎02-17-2003 07:56 AM

The results you are seeing are correct. The global addresses (65.32.15.x) are only valid on the outside and the local addresses (192.168.3.x) are only valid on the inside. The reason this fails is because:

1.Host 1 browses to the internal Web Server using its URL (www.domainname.com).

2.Host 1’s browser sends a DNS request to the external DNS server to resolve domainname.com to its IP address.

3.The external DNS server replies with the global IP address of 65.32.15.x.

4.Host 1’s browser now attempts to make a connection with 65.32.15.x and sends the traffic to its default gateway, fa0/0.

5.Routing takes place, and the router sends this traffic out the fa0/1 interface. As this occurs, the source IP address is translated since it has traversed both a NAT inside and outside interface.

6.The ISP notes the destination address (65.32.15.x) is routed back out the same interface it came in on, and the traffic comes back to the fa0/1 interface.

7.Since fa0/1 is a NAT outside interface, the source and destination addresses are translated. The packet now has a source of 192.168.x.x and a destination of 192.168.3.x.

8. The Web Server receives the TCP request from Host 1 and, noting that it is a local address, replies directly to Host 1.

9.Host 1 receives a reply from its TCP request; however, since it receives it from 192.168.3.x and not 63.32.15.x as it was expecting, it drops the packet.

The way to solve this problem is to use an internal DNS server or set up host files on all your internal users.

0 Helpful
Customers Also Viewed These Support Documents