Solved: Cisco Model 881 - Unable to NAT to web server - Page 2

isaaczhun · ‎06-21-2011

Hi,

I hope there any someone here can help me out.

Apparently the problem seems simple enough however I couldn't get it working. My router is being configured to access a web server in the network which is on port 80. However, port 80 is being used by my router's setup page. Therefore whenever I key in my public IP address, it will just immediately direct me to the router's page.

I have also tried opening up other ports like 5050 and set my web server to port 5050. Internally within the LAN itself everyone can access the web server with port 5050. However, going from public IP address with port 5050 doesn't work. Am I missing anything here?

All the firewalls are configured.

Thanks in advanced.

isaaczhun · ‎06-29-2011

Hi,

There is no firewall in between the router and the local lan. I type show ip nat translation and see this

udp xxx.xxx.xxx.xxx:80 192.168.1.8:80 xxx.xxx.xxx.xxx:81 xxx.xxx.xxx.xxx:81

and many others but there is no 5050.

Could this be the reason why it is going to the cisco 881? Is there anyway I can change the inside local into 192.168.1.39 (web server ip) so that we just continue using port 80 since it is confirmed that it can go into the local?

I have tried netstat -an also but there is no connection established when trying port 5050. We do have connections established to port 80 but that is still the router page.

Thanks in advanced.

Thotsaphon Lueangwattanaphong · ‎06-30-2011

Hi,

Your configuration looks good to me. Can you post "show ip nat translation | inc 5050" while connecting http://xxx.xx.xx.xxx:5050 from the internet? Just want to know if you have no problem with tcp/21 and tcp/1723 when connecting from the internet. Right?

HTH,

Toshi

isaaczhun · ‎06-30-2011

Hi Toshi,

I have no problem with tcp/21 and tcp/1723 which is why I am confused here.

This is the result that I got from "show ip nat translation | inc 5050"

tcp xxx.xxx.xxx.xxx:5050 192.168.1.39:5050 --- ---

There is no outside local and outside global to it.

Thotsaphon Lueangwattanaphong · ‎06-30-2011

Hi,

It's weird. Please use "telnet xx.xx.xx.xx 5050" on PC when you are in the internet. Also post "show ip nat transaliton | inc 5050" here.

Toshi

isaaczhun · ‎06-30-2011

Hi Toshi,

I did a telnet and it shows me Connecting to xxx.xxx.xxx.xxx ... Could not open connection to the host, on port 5050.

I tried telnet xxx.xxx.xxx.xxx without the port and it brings me directly to the console where I need to login.

the show ip nat translation | inc 5050 shows the same.

tcp xxx.xxx.xxx.xxx:5050 192.168.1.39:5050 --- ---

could it be because I'm on the same connection therefore I am unable to test it out?

Thotsaphon Lueangwattanaphong · ‎06-30-2011

Hi,

Are you sure that you use the command while telneting to the web server? It has to have any connection when showing it. If it still doesn't work. Please change it back to tcp/80 in NAT statement and then test the same process and then show the result.

Edit: I just want to make sure that tcp/5050 won't be blocked by ISP. Actually I should not.

HTH,

Toshi

isaaczhun · ‎06-30-2011

Hi Toshi,

This is what I did. Please let me know if I am doing anything wrong here.

I used window 7 PC to test on the connection.

Firstly I open up the command prompt and type in telnet xxx.xxx.xxx.xxx 5050. However it is unable to connect to it. Therefore I type in just xxx.xxx.xxx.xxx without the port 5050.

I was able to get into the console and just resume typing in my username and password.

After which i type in show ip nat translation | inc 5050.

It shows the same thing

tcp xxx.xxx.xxx.xxx:5050 192.168.1.39:5050 --- ---

Could it be due to same connection with the window server and window 7 pc?

I tried on port 1723 and port 21 it cannot established connection as well however when I used the application that I used to connect port 1723 and port 21 I am able to get into it. The application is on a different line.

Thotsaphon Lueangwattanaphong · ‎06-30-2011

Hi,

Well, Please add this for testing.

!

ip access-list extend TEST-Connection

permit tcp any eq 5050 log

permit ip any any

!

interface fastethernet4

ip access-group TEST-Connection in

!

And then test connections again

Toshi

isaaczhun · ‎06-30-2011

Hi Toshi,

It is still returning the same result

Thotsaphon Lueangwattanaphong · ‎06-30-2011

Hi,

You didn't see any hit on tcp/5050. Right? It's kind weird. Please try the following steps.

!

Router(conf)#no ip nat inside source static tcp 192.168.1.39 5050 interface FastEthernet4 5050

Router(conf)#ip nat inside source static tcp 192.168.1.39 5050 xx.xx.xx.xx 5050

!

Trying to use http and telnet together. Please let me know the results,"show ip nat translation | inc 5050" and "show access-list".

I'm confused why you cannot open the connections with tcp/5050. Then let me see TCP/80.

!

Router(conf)#no ip nat inside source static tcp 192.168.1.39 5050 xx.xx.xx.xx 5050

Router(conf)#ip nat inside source static tcp 192.168.1.39 80 xx.xx.xx.xx 80

!

ip access-list TEST-Connection

5 permit tcp any eq 80

!

Please post the result if it works with tcp/80. "show ip nat translation | inc 80" and "show access-list"

.

HTH,

Toshi

isaaczhun · ‎07-01-2011

Hi Toshi,

Just to clarify as I am really new to this. Do you mean by typing the following into the console?

!

Router(conf)#no ip nat inside source static tcp 192.168.1.39 5050 interface FastEthernet4 5050

Router(conf)#ip nat inside source static tcp 192.168.1.39 5050 xx.xx.xx.xx 5050

!

Thotsaphon Lueangwattanaphong · ‎07-01-2011

Hi,

Yes. Don't forget to show me the results and do the steps I provided.

Toshi

isaaczhun · ‎07-01-2011

Hi Toshi,

Am I suppose to see anything after typing the long list of command? I am not seeing anything here.

It shows the same thing

tcp xxx.xxx.xxx.xxx:5050 192.168.1.39:5050 --- ---

tcp xxx.xxx.xxx.xxx:5050 192.168.1.39:80 --- ---

both 5050 and 80 access-list is showing

Standard IP access list 1

10 permit 192.168.1.0, wildcard bits 0.0.0.255 (616460434 matches)

Thotsaphon Lueangwattanaphong · ‎07-01-2011

Hi Guy,

Please carefully read the steps I provided. Please do each step.

You didn't see any hit on tcp/5050. Right? It's kind weird. Please try the following steps.

!

Router(conf)#no ip nat inside source static tcp 192.168.1.39 5050 interface FastEthernet4 5050

Router(conf)#ip nat inside source static tcp 192.168.1.39 5050 xx.xx.xx.xx 5050

!

Trying to use http and telnet together. Please let me know the results,"show ip nat translation | inc 5050" and "show access-list".

I'm confused why you cannot open the connections with tcp/5050. Then let me see TCP/80.

!

Router(conf)#no ip nat inside source static tcp 192.168.1.39 5050 xx.xx.xx.xx 5050

Router(conf)#ip nat inside source static tcp 192.168.1.39 80 xx.xx.xx.xx 80

!

ip access-list TEST-Connection

5 permit tcp any eq 80

!

Please post the result if it works with tcp/80. "show ip nat translation | inc 80" and "show access-list"

HTH,

Toshi

isaaczhun · ‎07-01-2011

Hi,

This is what I did

Go to window server and connect to console and type in "! Router(conf)#no ip nat inside source static tcp 192.168.1.39 5050 interface FastEthernet4 5050 Router(conf)#ip nat inside source static tcp 192.168.1.39 5050 xx.xx.xx.xx 5050 !" All in one single line
Go to window7 PC browser and type in xx.xx.xx.xx:5050 and also open up command prompt and type in telnet xx.xx.xx.xx 5050
Result from telnet is "Connecting to xx.xx.xx.xx.xx ...Could not open connection to the host , on port 5050: Connect failed.
Go to window server and type "show ip nat translation | inc 5050"
Result from translation: tcp xxx.xxx.xxx.xxx:5050 192.168.1.39:5050 --- ---
Type in "show access-list"
Result from show access-list: Standard IP access list 1 10 permit 192.168.1.0, wildcard bits 0.0.0.255 (616460434 matches)
Go to 192.168.1.1 and change the configuration of NAT to public ip address xx.xx.xx.x(80) and private ip address 192.168.1.39(5050)
Go to console again and type in "! Router(conf)#no ip nat inside source static tcp 192.168.1.39 5050 xx.xx.xx.xx 5050 Router(conf)#ip nat inside source static tcp 192.168.1.39 80 xx.xx.xx.xx 80 ! ip access-list TEST-Connection 5 permit tcp any xx.xx.xx.xx eq 80 !" All in one line
Go to window7 PC and open browser go to xx.xx.xx.xx:80 and it brought me to the router set up page.
Open up command prompt and type telnet xx.xx.xx.xx 80 and it gave me blank page. When type any key and it says 400 Bad Request Connect to host lost.
Go to window server again and type "show ip nat translation | inc 80"
Result from translation (alot of them but i spotted port 80 with this): tcp xxx.xxx.xxx.xxx:5050 192.168.1.39:80 --- ---
type in "show access-list"
Result: More or less the same as 5050

Please let me know if I did anything wrong. Also, am I supposed to see anything when i type in those !Router ... stuff

Thanks for the help =)