HTTP not working after NAT setup

matt_ccna · ‎05-18-2012

Hi,

After the configuration of NAT, my webserver (1.1.1.4) is not accessible anymore from outside (4.4.4.2).

ICMP is working, but browsing is not.

The problem must be a bad ACL configuration.

I tried various configurations, extended ACLs, just to allow all traffic but none of them worked.

Only the config "access-list 1 permit 0.0.0.0 0.0.0.0", but this is not how it should be.

R1#

%SYS-5-CONFIG_I: Configured from console by console

sh ru

Building configuration...

Current configuration : 662 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R1

!

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 2.2.2.1 255.255.255.252

duplex auto

speed auto

!

interface Serial0/0

ip address 3.3.3.1 255.255.255.252

ip nat outside

clock rate 64000

!

ip nat inside source list 1 interface Serial0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

access-list 1 permit 1.1.1.0 0.0.0.255

!

line con 0

line vty 0 4

login

!

end

R1#

debug:

NAT: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [853]

NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [387]

NAT*: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [854]

NAT*: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [855]

NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [388]

NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [389]

NAT*: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [856]

NAT*: s=1.1.1.4->3.3.3.1, d=3.3.3.2 [857]

NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [390]

NAT*: s=3.3.3.2, d=3.3.3.1->1.1.1.4 [391]

johnlloyd_13 · ‎05-18-2012

Hi Matt,

I suspect your problem is already on the webserver's application since ping is ok and no ACLs are applied to your interfaces.

Was it working before applying NAT? Could you do a telnet 80 to your websever from R1?

Sent from Cisco Technical Support iPhone App

matt_ccna · ‎05-19-2012

I have acces without NAT.

Telnet also works.

cadet alain · ‎05-21-2012

Hi,

After the configuration of NAT, my webserver (1.1.1.4) is not accessible anymore from outside (4.4.4.2).

ICMP is working, but browsing is not.

NAT is working from Inside to Outside without any problem as suggest the ICMP success as well as the NAT debug output.

But if you're trying to access your inside server from 4.4.4.2 then you need a static NAT or static PAT not NAT overload.

Is this a Packet Tracer file ? if so can you post it here.

Regards.

Alain.

Don't forget to rate helpful posts.

Rajeev Ranjan · ‎05-18-2012

Hi Matt

Remove static entry ip route 0.0.0.0 0.0.0.0 Serial0/0.

Dan-Ciprian Cicioiu · ‎05-21-2012

Hi,

I would try to exempt 1.1.1.4 from nat :

no access-list 1

access-list 1 deny host 1.1.1.4

access-list 1 permit 1.1.1.0 0.0.0.255

Dan

matt_ccna · ‎05-21-2012

@Dan-Ciprian Cicioiu and @cadet alain: Both methods worked out well, thx for the tips.