Solved: Re: NAT IN/OUT PROBLEM

Didier1966 · ‎12-01-2010

Hello,

I have a WEB server running locally , and this work well.

Now I would like to see it from external , but it seams not to work and I do no know what I do wrong.

Here bellow some part of the configuration and the IP NAT TRANSLATION :

ROUTER1841#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 81.164.201.195:1 192.168.1.251:123 66.27.60.10:123 66.27.60.10:123

udp 81.164.201.195:123 192.168.10.50:123 17.72.255.12:123 17.72.255.12:123

tcp 81.164.201.195:49778 192.168.10.50:49778 72.163.5.80:443 72.163.5.80:443

tcp 81.164.201.195:8099 192.168.10.3:80 --- ---

ROUTER1841#

I can PING the OUTSIDE 81.164.201.195 , but I can not see the WEB page

I have tried different port in case my ISP block some ports , I even try a LINKSYS WRT54GL , where I open the port 8099 and this one was working , so I am sure I do something wrong.

no ip http server

ip http authentication local

ip http secure-server

ip dns server

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.10.3 80 81.164.201.195 8099 extendable

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 101 permit ip 192.168.30.0 0.0.0.255 any

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

no cdp run

!

Best Regards,

Didier

cadet alain · ‎12-02-2010

Hi,

First clear dynamic entries in NAT table with clear ip nat translation * command

Then do a show ip nat translation command to see if indeed your static nat is in the table

Then do a debug ip nat and try to access this webserver so you can see if the nat is used indeed.

Regards.

Don't forget to rate helpful posts.

View solution in original post

mrdogantr · ‎12-02-2010

Hi Didier,

Your config is runing.

http://81.164.201.195:8099

and i think you must change your web panel password .

.

View solution in original post

cadet alain · ‎12-02-2010

Hi,

No you can't do this:

Maybe , I can not test from INSIDE to BACK to the ROUTER INSIDE ?

Regards.

Don't forget to rate helpful posts.

View solution in original post

marcin_kosobucki · ‎12-01-2010

Can you post your interfaces config? Both inside one and outside one.

Didier1966 · ‎12-01-2010

Hello Marcin,

Here You have the FULL CONFIG

MAYBE A IMPORTANT INFORMATION :

From OUTSIDE I am able to access the CISCO 1841 ROUTER on PORT 8096 via :

ssh://admin@cisco1841.dyndns.info:8096

This mean that my provider does not lock-out this port.

But this does not work:

http://admin@cisco1841.dyndns.info:8099 //admin@cisco1841.dyndns.info:8099

Here bellow I put the IP instead of the name , both are still equal (I DO NOT KNOW YET HOW TO CHANGE THE IP TO admin@cisco1841.dyndns.info:8099

ip nat inside source static tcp 192.168.10.3 80 81.164.201.195 8099 extendable

Thank You in advance for your help

NOTE : The script in complete , I have just remove some part of the PASSWORD.

Best Regards,

Didier

!

! Last configuration change at 23:01:37 gmt+1 Wed Dec 1 2010 by admin

! NVRAM config last updated at 22:59:46 gmt+1 Wed Dec 1 2010 by admin

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ROUTER1841

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable password 7 050

!

aaa new-model

!

aaa authentication banner

THIS SYSTEM IS SOLELY FOR USE OF AUTHORISED USERS FOR OFFICIAL PURPOSES

!

aaa session-id common

clock timezone gmt+1 1

clock summer-time gmt+2 recurring last Sun Mar 2:00 last Sun Oct 3:00

dot11 syslog

no ip source-route

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.20.1

ip dhcp excluded-address 192.168.30.1

ip dhcp excluded-address 192.168.100.1

ip dhcp excluded-address 192.168.1.250 192.168.1.254

!

ip dhcp pool vlan10

import all

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 8.8.8.8

lease 5

!

ip dhcp pool vlan20

import all

network 192.168.20.0 255.255.255.0

dns-server 8.8.8.8

default-router 192.168.20.1

lease 5

!

ip dhcp pool vlan30

import all

network 192.168.30.0 255.255.255.0

dns-server 8.8.8.8

default-router 192.168.30.1

!

ip dhcp pool FIX-IP

host 192.168.100.66 255.255.255.0

client-identifier 0100.089b.ad17.8f

client-name FIX-IP

!

ip dhcp pool TEST

host 192.168.100.20 255.255.255.0

client-identifier 0100.2241.353f.5e

!

ip dhcp pool internal

network 192.168.100.0 255.255.255.0

dns-server 192.168.100.1

default-router 192.168.100.1

!

ip dhcp pool vlan1

network 192.168.1.0 255.255.255.0

dns-server 8.8.8.8

default-router 192.168.1.1

lease 5

!

ip dhcp pool MAC

host 192.168.10.50 255.255.255.0

client-identifier 0100.2312.1c0a.39

!

ip dhcp pool PRINTER

host 192.168.10.20 255.255.255.0

client-identifier 0100.242b.4d0c.5a

!

ip dhcp pool WAP610N

host 192.168.10.100 255.255.255.0

client-identifier 0100.259c.8fad.4c

!

no ip bootp server

ip domain name dri

ip host SW12 192.168.1.252

ip host SW24 192.168.1.251

ip ddns update method DynDNS

HTTP

add http://dri66:@members.dyndns.org/nic/update?system=dyndns&hostname=cisco1841.dyndns.info&myip=

interval maximum 1 0 0 0

interval minimum 1 0 0 0

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-2996

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-29967

revocation-check none

rsakeypair TP-self-signed-29967

!

username Admin privilege 15 secret 5 $1$gAFQ

archive

log config

hidekeys

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh port 8096 rotary 1

ip ssh version 2

!

interface FastEthernet0/0

description DMZ

ip ddns update hostname cisco1841.dyndns.info

ip ddns update DynDNS

ip address dhcp

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description INTERNAL$ETH-LAN$

ip address 192.168.100.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0/0

switchport access vlan 10

spanning-tree portfast

!

interface FastEthernet0/0/1

switchport access vlan 20

spanning-tree portfast

!

interface FastEthernet0/0/2

switchport access vlan 30

spanning-tree portfast

!

interface FastEthernet0/0/3

switchport mode trunk

!

interface Vlan1

ip address 192.168.1.250 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan30

ip address 192.168.30.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

ip dns server

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.10.3 80 81.164.201.195 8099 extendable

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 101 permit ip 192.168.30.0 0.0.0.255 any

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

no cdp run

!

control-plane

!

banner exec

WELCOME YOU ARE NOW LOGED IN

banner login

WARNING !!!

IF YOU ARE NOT :

Didier Ribbens

Please Leave NOW !!!

YOUR IP and MAC address will be LOGGED !!!

!

line con 0

speed 115200

line aux 0

line vty 0 4

access-class 5 in

privilege level 15

rotary 1

transport input telnet ssh

line vty 5 15

access-class 5 in

rotary 1

!

scheduler allocate 20000 1000

ntp clock-period 17178401

ntp server 66.27.60.10

end

cadet alain · ‎12-02-2010

Hi,

First clear dynamic entries in NAT table with clear ip nat translation * command

Then do a show ip nat translation command to see if indeed your static nat is in the table

Then do a debug ip nat and try to access this webserver so you can see if the nat is used indeed.

Regards.

Don't forget to rate helpful posts.

mrdogantr · ‎12-02-2010

Hi Didier,

Your config is runing.

http://81.164.201.195:8099

and i think you must change your web panel password .

.

Didier1966 · ‎12-02-2010

Hello,

Really strange , I did not change anything , and YES it works .

I have to tell , now I test it abroad and it works , I am curious if it will work when I am back home ?

Maybe , I can not test from INSIDE to BACK to the ROUTER INSIDE ?

If this is the case I will try to login with a other connection at home , my provider give me 4 IP's so I have still 3 others that I can use before the cisco router.

I will keep you informed , in the mean time thank you for the info.

Any idea how I can replace the IP with the URL ADDRESS ?

Best Regards,

Didier

cadet alain · ‎12-02-2010

Hi,

No you can't do this:

Maybe , I can not test from INSIDE to BACK to the ROUTER INSIDE ?

Regards.

Don't forget to rate helpful posts.

Didier1966 · ‎12-02-2010

Thank You All for your great help