12-13-2007 07:12 PM - edited 03-03-2019 07:55 PM
I've got a 2611 with IOS 12.3 at an office of mine, and I'd like to set it up to forward port 80 to a small webserver. I've tried the same types of configurations that I used with my older 2611 and 12.0, but they aren't working. I've stripped the config down to barebones and still can't get it to do what I want... Am I going insane? Can someone please point out the flaw or suggest an alternate method?
Current configuration : 2075 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco2611
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$rD#############yh8e/
enable password 7 1#############35
!
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp timestamp
ip tcp path-mtu-discovery
!
!
ip name-server 68.87.64.146
ip name-server 68.87.75.194
!
no ip bootp server
ip cef
!
!
interface Ethernet0/0
description LAN
ip address 10.1.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
full-duplex
no cdp enable
no mop enabled
!
interface Ethernet0/1
description WAN
ip address 70.91.###.157 255.255.255.252
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
!
ip nat inside source list 100 interface Ethernet0/1 overload
ip nat inside source static tcp 10.1.10.11 80 interface Ethernet0/1 80
no ip http server
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 70.91.###.158
!
!
access-list 100 permit ip 10.1.10.0 0.0.0.255 any
access-list 101 permit ip any any
no cdp run
!
line con 0
line aux 0
line vty 0 4
password ############
login
!
!
end
12-14-2007 02:29 AM
Hi Justin,
My suggestion is to append the "extendable" command to the end of your static NAT entry.
ip nat inside source static tcp 10.1.10.11 80 70.91.###.157 80 extendable
Regards,
Leon
12-15-2007 10:38 AM
Leon:
It seems that this didn't make any difference... Do you think there is a conflicting statement somewhere else in the config?
Thanks,
Justin
12-15-2007 11:47 AM
In your acl 101 you may try it differently
no access-list 101 permit ip any any
replace with
access-list 101 permit tcp any 10.1.10.1 0.0.0.255 eq www log
HTH
Jorge
12-15-2007 03:36 PM
Careful with that, an implied deny any any will take effect.
ACL 101 does not present any problems as its currently entered.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: