ā05-19-2011 02:51 AM - edited ā03-04-2019 12:27 PM
Hello Cisco comunity
I am trying to configure NAT to route trafic from outside port to an inside webserver but i keep failing. After a month of reading forums i decided to ask for help here.
The inside/outside interfaces are defined and working.
I tryed to route trafic received on outside interface on port 5555 to an internal webserver on port 80 but failed. Here is the command i used:
ip nat inside source static tcp <ip_of_webserver> 80 interface fastEthernet 0/0 5555
fa0/0 is the outside interface
fa0/1 is the inside interface
do i need to route trafic from fa0/0 to fa0/1 and then from fa0/1 to my webserver? Do i need to setup an ACL?
Any help would be apreciated.
ā05-19-2011 02:59 AM
Hi,
When you're trying to access this server from the internet , please post the output "show ip nat translation | inc
Toshi
ā05-19-2011 03:05 AM
Hi Toshi,
This is a static NAT so the entry will always be in the NAT table even if there is no traffic.
To verify if it's NAT the problem then a debug ip nat would be more appropriate IMHO.
Is there an ACL on the outside interface or is there ZBF configured on the router?
I think a running config would be helpful here.
Regards.
Alain.
ā05-19-2011 03:16 AM
Hi Alian,
"This is a static NAT so the entry will always be in the NAT table even if there is no traffic." You're right. However, we will see new entries if there are connections connecting to the router.
F.e.
Router#sh ip nat translations | inc 172.17.1.22
tcp 202.x.y.z:80 172.17.1.22:80 203.a.b.c:49155 203.a.b.c:49155 <--- Incoming Connection
tcp 202.x.y.z:80 172.17.1.22:80 --- --- <---- Static Entry
That's why I ask for the output. However, it's a good idea to post the current configuration on the router.
Toshi
ā05-19-2011 03:24 AM
Hi Toshi,
You're right. I thought about it after I posted.
Regards.
Alain.
ā05-19-2011 03:32 AM
Hi
show ip nat translations shows:
Pro Inside global Inside local Outside local Outside global
tcp fa0/0:5555 webserver_ip:80 --- ---
debug ip nat crashed my router and i had to restart it
i'll post some of my runing config, i will try to remove some of the irelevant info:
!
!
crypto pki trustpoint
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair
!
!
crypto pki certificate chain
certificate self-signed 01
quit
!
!
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto map outside-map 10 ipsec-isakmp
set peer
set transform-set ESP-3DES-MD5
match address
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside-map
!
interface FastEthernet0/1
description $ES_LAN$
ip address
ip access-group acl_out in
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
service-policy input SDM-QoS-Policy-1
!
!
!
ip http server
no ip http secure-server
ip dns server
ip nat inside source list 122 interface FastEthernet0/0 overload
ip nat inside source static tcp
!
ip access-list extended acl_out
remark SDM_ACL Category=17
permit ip any host
permit tcp host
deny tcp any any eq smtp
permit ip any any
ip access-list extended
permit ip
!
access-list 122 permit ip host
!
end
ā05-19-2011 03:42 AM
Ok, i tested from outside to connect to fa0/0:5555. the output is below
tcp fa0/0:5555
aparently NAT works. So what is my problem then? The page requested from outside wasn't displayed.
ā05-19-2011 03:45 AM
Hi,
1. You can access this server via local lan. Right? Please check the server by using "netstat -an". Is there connections from 92.85.253.180?
2. Please post detailed ACL of interesting traffic for crypto map.
HTH,
Toshi
ā05-19-2011 04:00 AM
That's all there is to post about cryptomap. The only thing i haven't posted was the map name and the peer ip. Is there anything else you think i haven't posted?
netstat -an doesn't show the request from outside.
ā05-19-2011 04:11 AM
Is the webserver IP on the same subnet as the fa0/1 interface IP ?
If not does the device that routes for the web server have a default route pointing back to this router ?
Also, as Toshi suggested, can you post the actual acl details for the crypto map.
Jon
ā05-19-2011 04:17 AM
Have you tried disabling firewall on server?
Is the service up on the router netstat -a -p tcp should output port 80 listening
Could you sniff your interface.
Regards.
Alain.
ā05-19-2011 04:28 AM
fa0/1 is on a diferent subnet than my webserver.
The layout is basicaly:
router->switch->ISA server->switch->webserver
The firewall on the webserver is disabled. Port 80 is listening. Maybe my ISA server is blocking the trafic?
ā05-19-2011 04:31 AM
carpovalexandru123 wrote:
fa0/1 is on a diferent subnet than my webserver.
The layout is basicaly:
router->switch->ISA server->switch->webserver
The firewall on the webserver is disabled. Port 80 is listening. Maybe my ISA server is blocking the trafic?
Is your ISA server acting as a router then ?
Check the ISA server settings, is it doing any firewalling ?
Jon
ā05-19-2011 04:35 AM
Yes you can look for that possibility.
You can mirror traffic(loca SPAN) coming from isa server to switch port to another port connected to a pc where youinstall a sniffer and see if you have the syn packets.
Regards.
Alain.
ā05-19-2011 04:46 AM
Yes, i am using some policies on ISA but i have a rule in my ISA firewall that basicaly says allow all tcp trafic port 5555 from external/anywhere to webserver_ip for all users.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide