Solved: External HTTP Traffic to internal WebServer

St.Giles.Living.Centers · ‎06-04-2015

I have just installed a router and setup NAT port forwarding for passing internet traffic to internal systems running things such as HTTPS, RDP, redirecting ports, etc. Everything is working great except port 80. HTTP traffic is not working and i need a little help please with the config.

interface FastEthernet0/0 (OUTSIDE)

IP 40.40.40.2

IP NAT OUTSIDE

interface FastEthernet0/1 (INSIDE)

IP 192.168.60.2

IP NAT INSIDE

no ip http server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.60.80 80 interface fastEthernet0/0 80

ip nat inside source static tcp 192.168.60.21 443 interface FastEthernet0/0 443

ip nat inside source static tcp 192.168.60.21 3389 interface FastEthernet0/0 3389

access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 permit tcp any host 192.168.60.80 eq www

Any help would be appreciated

Jon Marshall · ‎06-08-2015

If all your other static translations are working then it doesn't seem to be a problem with the router because there is nothing obviously wrong with that specific NAT entry.

It could be an issue with the server itself ie.

1) does it have the correct default gateway set ?

2) does it actually work internally ?

Jon

View solution in original post

Jon Marshall · ‎06-05-2015

Difficult to say with the limited configuration you have posted.

The only thing that stands out is your acl 100 is referencing the private IP of the web server and it should be referencing the public IP you are translating the web server to.

But that is just a guess based on what you have posted because you don't show if that acl is applied anywhere or what else is in it.

Jon

St.Giles.Living.Centers · ‎06-08-2015

Jon, Thanks for the reply and sorry for the delay.

Below is the config please look over and give your thoughts. If i can provide anything else, please let me know.

Current configuration : 8432 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-7a.bin
boot-end-marker
!
no logging on
enable secret 5 $1$FXfM$44YnheWldPjnzzChbNnof0
enable password 7 075D0E404A5B1A1045
!
no aaa new-model
!
resource policy
!
clock timezone CST -6
clock summer-time CST date Mar 9 2008 2:00 Nov 2 2008 2:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.60.1 192.168.60.99
ip dhcp excluded-address 192.168.60.225 192.168.60.254
!
ip dhcp pool DHCP
   import all
   network 192.168.60.0 255.255.255.0
   domain-name domain
   dns-server 192.168.60.21 192.168.60.23
   netbios-name-server 192.168.60.21 192.168.60.23
   default-router 192.168.60.2
   lease 7
!
!
no ip bootp server
ip domain name domain.com
ip name-server 8.8.8.8
!
!
voice-card 0
dspfarm
!
password encryption aes
!
voice call carrier capacity active
!
voice service pots
!
!
voice class codec 1
codec preference 1 g711ulaw
!
!
!
voice class h323 1
h225 timeout tcp establish 2
!
!
!
!
!
interface Loopback1
ip address 192.168.117.1 255.255.255.0
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 40.40.40.2 255.255.255.248
ip nat outside
no ip virtual-reassembly
no ip mroute-cache
duplex full
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
ip address 192.168.60.2 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex full
speed auto
no cdp enable
!
interface Serial0/2/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 40.129.178.169
ip route 192.168.0.0 255.255.0.0 192.168.60.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.60.80 80 interface FastEthernet0/0 80
ip nat inside source static tcp 192.168.60.21 3389 interface FastEthernet0/0 61046
ip nat inside source static tcp 192.168.60.29 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.60.23 81 interface FastEthernet0/0 81
ip nat inside source static tcp 192.168.60.21 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.60.6 8990 interface FastEthernet0/0 8990
ip nat inside source static tcp 192.168.60.6 8991 interface FastEthernet0/0 8991
ip nat inside source static tcp 192.168.60.6 3050 interface FastEthernet0/0 3050
ip nat inside source static tcp 192.168.60.6 1024 interface FastEthernet0/0 1024
ip nat inside source static tcp 192.168.60.18 82 interface FastEthernet0/0 82
ip nat inside source static tcp 192.168.60.18 1911 interface FastEthernet0/0 1911
ip nat inside source static tcp 192.168.60.29 3011 interface FastEthernet0/0 3011
ip nat inside source static tcp 192.168.60.16 8100 interface FastEthernet0/0 8100
ip nat inside source static tcp 192.168.60.84 444 interface FastEthernet0/0 444
ip nat inside source static tcp 192.168.60.253 3389 interface FastEthernet0/0 61047
ip nat inside source static tcp 192.168.60.23 3389 interface FastEthernet0/0 61035
ip nat inside source static tcp 192.168.60.10 3389 interface FastEthernet0/0 62035
ip nat inside source static tcp 192.168.60.9 3389 interface FastEthernet0/0 61032
ip nat inside source static tcp 192.168.60.250 3389 interface FastEthernet0/0 61039
ip nat inside source static tcp 192.168.60.244 3389 interface FastEthernet0/0 61041
ip nat inside source static tcp 192.168.60.8 3389 interface FastEthernet0/0 61043
ip nat inside source static tcp 192.168.60.6 3389 interface FastEthernet0/0 61044
ip nat inside source static tcp 192.168.60.21 53 interface FastEthernet0/0 53
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 permit tcp any host 40.40.40.2 eq www
snmp-server community public RO
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0
output attenuation 6
echo-cancel coverage 32
no non-linear
playout-delay maximum 120
playout-delay nominal 100
playout-delay mode fixed
no comfort-noise
timeouts call-disconnect 3
connection plar 1234567890
description THE CONNECTION PLAR WAS ESSENTIAL TO AVOID TWO STAGE DIALING
bearer-cap Speech
caller-id enable
!
voice-port 0/0/1
output attenuation 6
echo-cancel coverage 32
no non-linear
playout-delay maximum 120
playout-delay nominal 100
playout-delay mode fixed
no comfort-noise
timeouts call-disconnect 3
connection plar 1234567890
description THE CONNECTION PLAR WAS ESSENTIAL TO AVOID TWO STAGE DIALING
bearer-cap Speech
caller-id enable
!
voice-port 0/0/2
output attenuation 6
echo-cancel coverage 32
no non-linear
playout-delay maximum 120
playout-delay nominal 100
playout-delay mode fixed
no comfort-noise
timeouts call-disconnect 3
connection plar 1234567890
description THE CONNECTION PLAR WAS ESSENTIAL TO AVOID TWO STAGE DIALING
bearer-cap Speech
caller-id enable
!
voice-port 0/0/3
output attenuation 6
echo-cancel coverage 32
no non-linear
playout-delay maximum 120
playout-delay nominal 100
playout-delay mode fixed
no comfort-noise
timeouts call-disconnect 3
connection plar 1234567890
description THE CONNECTION PLAR WAS ESSENTIAL TO AVOID TWO STAGE DIALING
bearer-cap Speech
caller-id enable
!
voice-port 0/1/0
output attenuation 6
echo-cancel coverage 32
no non-linear
playout-delay maximum 120
playout-delay nominal 100
playout-delay mode fixed
no comfort-noise
timeouts call-disconnect 3
connection plar 1234567890
description THE CONNECTION PLAR WAS ESSENTIAL TO AVOID TWO STAGE DIALING
bearer-cap Speech
caller-id enable
!
voice-port 0/1/1
output attenuation 6
echo-cancel coverage 32
no non-linear
playout-delay maximum 120
playout-delay nominal 100
playout-delay mode fixed
no comfort-noise
timeouts call-disconnect 3
connection plar 1234567890
description THE CONNECTION PLAR WAS ESSENTIAL TO AVOID TWO STAGE DIALING
bearer-cap Speech
caller-id enable
!
voice-port 0/1/2
output attenuation 6
echo-cancel coverage 32
no non-linear
playout-delay maximum 120
playout-delay nominal 100
playout-delay mode fixed
no comfort-noise
timeouts call-disconnect 3
connection plar 1234567890
description THE CONNECTION PLAR WAS ESSENTIAL TO AVOID TWO STAGE DIALING
bearer-cap Speech
caller-id enable
!
voice-port 0/1/3
output attenuation 6
echo-cancel coverage 32
no non-linear
playout-delay maximum 120
playout-delay nominal 100
playout-delay mode fixed
no comfort-noise
timeouts call-disconnect 3
connection plar 1234567890
description THE CONNECTION PLAR WAS ESSENTIAL TO AVOID TWO STAGE DIALING
bearer-cap Speech
caller-id enable
!
!
!
!
!
dial-peer voice 10 pots
destination-pattern 9.
direct-inward-dial
port 0/0/0
!
dial-peer voice 11 pots
destination-pattern 9.
direct-inward-dial
port 0/0/1
!
dial-peer voice 12 pots
destination-pattern 9.
direct-inward-dial
port 0/0/2
!
dial-peer voice 13 pots
destination-pattern 9.
direct-inward-dial
port 0/0/3
!
dial-peer voice 14 pots
destination-pattern 9.
direct-inward-dial
port 0/1/0
!
dial-peer voice 15 pots
destination-pattern 9.
direct-inward-dial
port 0/1/1
!
dial-peer voice 16 pots
destination-pattern 9.
direct-inward-dial
port 0/1/2
!
dial-peer voice 17 pots
destination-pattern 9.
direct-inward-dial
port 0/1/3
!
dial-peer voice 100 voip
destination-pattern .
session protocol sipv2
session target ipv4:192.168.1.24
dtmf-relay rtp-nte
codec g711ulaw bytes 240
ip qos dscp cs5 media
no vad
!
dial-peer voice 99999 voip
session protocol sipv2
incoming called-number 9.
dtmf-relay rtp-nte
codec g711ulaw bytes 240
ip qos dscp cs5 media
no vad
!
gateway
timer receive-rtp 1200
!
sip-ua
set pstn-cause 8 sip-status 404
set pstn-cause 16 sip-status 486
set pstn-cause 101 sip-status 501
retry invite 2
retry response 2
retry bye 2
retry cancel 2
timers trying 1000
timers connect 1000
!
!
!
banner motd ^C
**************************************************************
**********                                          **********
*******        Unauthorized Entry is Prohibited        *******
**********                                          **********
**************************************************************^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 5
exec-timeout 30 0
password 7 02542B570F540C341E
login
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
!
end

thanks for your help

Jon Marshall · ‎06-08-2015

If all your other static translations are working then it doesn't seem to be a problem with the router because there is nothing obviously wrong with that specific NAT entry.

It could be an issue with the server itself ie.

1) does it have the correct default gateway set ?

2) does it actually work internally ?

Jon

St.Giles.Living.Centers · ‎06-08-2015

Good heavens Jon, the default gateway was the issue. Apparently we missed changing the default gateway on that server. I did work internally so i made an assumption that it had been updated when we changed the network structure. Sometimes you need another set of eyes. Thanks for your help and have a great day.

Jon Marshall · ‎06-08-2015

No problem, glad you got it working.

Jon

paul driver · ‎06-09-2015

Hello

Can you please rate Jons assistance and the post as answered

As it may help others in the future.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul