05-18-2012 03:54 PM - edited 03-04-2019 04:24 PM
Hi,
After the configuration of NAT, my webserver (1.1.1.4) is not accessible anymore from outside (4.4.4.2).
ICMP is working, but browsing is not.
The problem must be a bad ACL configuration.
I tried various configurations, extended ACLs, just to allow all traffic but none of them worked.
Only the config "access-list 1 permit 0.0.0.0 0.0.0.0", but this is not how it should be.
R1#
%SYS-5-CONFIG_I: Configured from console by console
sh ru
Building configuration...
Current configuration : 662 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 2.2.2.1 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
ip address 3.3.3.1 255.255.255.252
ip nat outside
clock rate 64000
!
ip nat inside source list 1 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
!
access-list 1 permit 1.1.1.0 0.0.0.255
!
!
line con 0
line vty 0 4
login
!
!
!
end
R1#
debug:
NAT: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [853]
NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [387]
NAT*: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [854]
NAT*: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [855]
NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [388]
NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [389]
NAT*: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [856]
NAT*: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [857]
NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [390]
NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [391]
05-18-2012 10:17 PM
Hi Matt,
I suspect your problem is already on the webserver's application since ping is ok and no ACLs are applied to your interfaces.
Was it working before applying NAT? Could you do a telnet 80 to your websever from R1?
Sent from Cisco Technical Support iPhone App
05-19-2012 01:07 AM
I have acces without NAT.
Telnet also works.
05-21-2012 12:45 AM
Hi,
After the configuration of NAT, my webserver (1.1.1.4) is not accessible anymore from outside (4.4.4.2).
ICMP is working, but browsing is not.
NAT is working from Inside to Outside without any problem as suggest the ICMP success as well as the NAT debug output.
But if you're trying to access your inside server from 4.4.4.2 then you need a static NAT or static PAT not NAT overload.
Is this a Packet Tracer file ? if so can you post it here.
Regards.
Alain.
05-18-2012 11:11 PM
Hi Matt
Remove static entry ip route 0.0.0.0 0.0.0.0 Serial0/0.
05-21-2012 01:00 AM
Hi,
I would try to exempt 1.1.1.4 from nat :
no access-list 1
access-list 1 deny host 1.1.1.4
access-list 1 permit 1.1.1.0 0.0.0.255
Dan
05-21-2012 02:05 AM
@Dan-Ciprian Cicioiu and @cadet alain: Both methods worked out well, thx for the tips.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide