cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3049
Views
0
Helpful
6
Replies

Access WEB server from LAN

petrutz_21
Level 1
Level 1

Hi,

I have a Router 2801

What conf should i make to access the webserver from the same LAN.

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.63

ip dhcp excluded-address 192.168.1.192 192.168.1.254

!

ip dhcp pool xxx

   network 192.168.1.0 255.255.255.0

   domain-name xxx.com

   default-router 192.168.1.1

   dns-server 193.226.128.1 193.226.128.129

   lease 20

!

!

ip domain name xxx.com

ip name-server 95.77.94.77

ip name-server 213.154.124.1

ip name-server 193.231.252.1

ip name-server 78.96.7.7

!

interface FastEthernet0/0

description isp1

ip address xxx.xxx.xxx.118 255.255.255.128

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description isp2

ip address xxx.xxx.xxx.206 255.255.255.252

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Vlan1

description xxx

ip address 192.168.1.1 255.255.255.0

ip nat inside

rate-limit output access-group 101 8000000 3000000 7000000 conform-action transmit exceed-action drop

rate-limit output access-group 102 8000000 3000000 7000000 conform-action transmit exceed-action drop

!

ip route 0.0.0.0 0.0.0.0 isp1

ip route 0.0.0.0 0.0.0.0 isp2 10

!

ip http server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 192.168.1.222 80 interface FastEthernet0/0 8080

ip nat inside source route-map isp2 interface FastEthernet0/1 overload

ip nat inside source route-map isp1 interface FastEthernet0/0 overload

!

ip access-list extended BLOCK_PORTS

deny   tcp any eq smtp any

permit ip any any

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit tcp any eq www 192.168.1.64 0.0.0.63

access-list 102 permit tcp any eq www 192.168.1.128 0.0.0.63

route-map isp2 permit 10

match ip address 100

match interface FastEthernet0/1

!

route-map isp1 permit 10

match ip address 100

match interface FastEthernet0/0

!

I've done:

ip nat inside source static tcp 192.168.1.222 80 interface fastethernet0/0 8080

for accessing the webserver from the internet.

I need to access the webserver troough the public from tha LAN.

Thanks.

6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Toma,

if you mean that you would like to access the web server from the internal LAN you can access it on the private address

192.168.1.222.

if you would like to access from inside using the outside IP address I'm afraid this can be a problem as NAT works when a traffic flow crosses from inside interface to outside interface

Is it working the NAT rule when you access from outside world on port 8080?

Hope to help

Giuseppe

Hi Giuseppe,

From the internet when I type publicaddress:8080 it's working but when I try tu ccess from the LAN it doesen't work; just if I type 192.168.1.222.

I want to access it from the LAN using the public ip address.

Thanks.

.Hello Toma,

I know it would be handy if supported, but actually what happens is that you are attempting to access the router itself on port TCP 8080 on ip address associated with WAN interface from internal LAN: it doesn't trigger the NAT translation so it doesn't work.

You can check this with show ip nat translations or even with debug ip nat

From networking point of view you should use private IP address when you are in the private internal network=LAN, that is the way NAT is designed to work.

Hope to help

Giuseppe

petrutz_21
Level 1
Level 1

Any other suggestion on how to make this work from the inside lan ?

I've been searching on google and i still can find a good solution.

Why we  can make this work with a cheap router and with a cisco router is so complicated ?

Thanks

Hi,

this not possible because hairpinning ( the feature you want to use) is not implemented on Cisco routers but DNS rewrite also called DNS doctoring should be implemented and so if this is the case you must have a public DNS server with your  A record on it and then you will access the server with its FQDN either from outside or inside( in which case the router will rewrite the DNS reply to the inside IP address of the server).

Regards.

Alain

Don't forget to rate helpful posts.

Hi Cadet Alain,

But what about NAT on a stick. I'm not quite sure that this can be aply in this case. What do you know about this ?

Thanks,

Network Address Translation on a StickNAT

Review Cisco Networking for a $25 gift card