05-19-2011 02:51 AM - edited 03-04-2019 12:27 PM
Hello Cisco comunity
I am trying to configure NAT to route trafic from outside port to an inside webserver but i keep failing. After a month of reading forums i decided to ask for help here.
The inside/outside interfaces are defined and working.
I tryed to route trafic received on outside interface on port 5555 to an internal webserver on port 80 but failed. Here is the command i used:
ip nat inside source static tcp <ip_of_webserver> 80 interface fastEthernet 0/0 5555
fa0/0 is the outside interface
fa0/1 is the inside interface
do i need to route trafic from fa0/0 to fa0/1 and then from fa0/1 to my webserver? Do i need to setup an ACL?
Any help would be apreciated.
05-19-2011 04:50 AM
Hi,
It should not be TCP/5555. It has to be TCP/80.
Toshi
05-19-2011 05:34 AM
Thanks but i'm not sure it should be 80 and not 5555. Anyway, i changed it to http/https/80/5555 just to be sure and include all. Now when i try to connect if i type
I'm just geting more confused.
05-19-2011 05:49 AM
Hi,
As Toshi said above it must be 80, don't forget you are doing static PAT on your router.
It should pop SDM if i only type fa0/0 ip adress
Why? as long as you're hitting the router at tcp port 5555 then it will translate to server at port 80 and when you don't specify the page it should go to index..html.
So your port forwarding is now working .
Regards.
Alain.
05-19-2011 05:57 AM
No mate, when i input just fa0/0 ip, without a port number, it says 'It works!'
Typing the port number results in an 'cannot display the page' error
05-19-2011 06:22 AM
Now when i try to connect if i type
/start.html it doesn't work BUT when i just type fa0/0 ip it says 'It works!'
I see no reference to any port
When it says it works can you do sh tcp brief on the router as well as sh ip nat transl and post output
Typing the port number results in an 'cannot display the page' error
Which page ? /start.html? Do you still not see connections on port 80 of server with netstat?
Are you testing from internet or on the LAN?
Regards.
Alain.
05-19-2011 10:38 PM
I am testing from the internet.
Again, when i type fa0/0:5555/start.html or fa0/0:5555 it doesn't work but i can see the NAT working in my router
When i type just fa0/0 the browser says 'It works!'. I can see NAT working too.
Here is some output:
sh ip nat translations | inc webserver_ip
tcp fa0/0:5555 webserver_ip:80 85.204.149.218:12331 85.204.149.218:12331
tcp fa0/0:5555 webserver_ip:80 150.70.75.31:56259 150.70.75.31:56259
sh tcp brief
TCB Local Address Foreign Address (state)
45B5D74C fa0/1.23 webserver_ip.61087 ESTAB
Maybe i should've said this at the begining, maybe not but i have a policy in my router to drop all torrent trafic. Any idea if this might drop trafic received on port 5555? Maybe this is why i see no connections on server, because all packets are droped?
05-19-2011 11:24 PM
Hi,
OKay,We need to check the following things.
1. You want to connect this server via TCP/5555 when you're not in local lan. URL should be http://fa0/0:5555
2. Did you enable HTTP server on the router to be accessed via GUI? If yes, you can connect this router via http://fa0/0. Keep in mind, "show tcp brief" shows connections connecting to the router.
3. Router does what it has to do for NAT
tcp fa0/0:5555
4. Now we are connecting to the webserver via TCP/80 because the router already modified it.
5. Router forwards the packets to ISA. ISA is in between.
6. ISA needs to allow from
7. If the packets can pass through ISA, we can now check the connections on the webserver with "netstat -an" command. Yes, you need to create connections from the internet to generate the packets.
Please get back and let us know how things work out.
Toshi
05-20-2011 01:08 AM
First i'd like to thank you for all the pacience and for all the help so far.
Ok, on to business.
1. From outside i am trying to connect to http://fa0/0:5555 but it times out. It tryed to load something but fails in the end.
2. From the local lan if i type http://fa0/0 in a browser, SDM GUI pops up. From the internet if i type http://fa0/0 in a browser it says 'It works!'
3. I guess the router does what its suposed to do since i get output with it translating, right?
5. I can't really say if the router forwards the packets to ISA. I tryed to netstat -an on ISA but there is too much output and i can't see anything or scroll up.
6. ISA rule is as follows: allow protocol_80 from external/anywhere to webserver_ip for all users
where protocol_80 is portrange tcp 80-80 direction inbound
7. I can't verify the packet is geting to ISA. I can't use netstat -an because there is too much output and it all gets lost in the scrollback.
05-20-2011 01:53 AM
Hi,
From the local lan if i type http://fa0/0 in a browser, SDM GUI pops up.
We cannot test this from local lan. It has to be http://
From the internet if i type http://fa0/0 in a browser it says 'It works!
Did it show the page on webserver?
Please post the entire configuration,excluding sensitive information such as Public IP addresses.
Please post the output of "Router#telnet
From the router, Can you temporarily test the connections by using a ping command?
Router#ping
Seems you need to allow ICMP policies on ISA. Does it work?
I just want to make sure that the routing is okay.
HTH,
Toshi
05-20-2011 02:22 AM
Hi
I must've missunderstood. On the local lan if i type http://webserver_ip it works, i get the webserver 'statistics' page (it shows that the server is runing, what version, what ports are opened, what features it has etc). The actual website i'm trying to view can be accesed by typing http://webserver_ip/start.html
From the internet if i type http://fa0/0 i get a blank page and in the upper left corner it says "It works!" in big bold characters. Basicaly it's the default message you get by accessing a webserver that has no webpage configured. It's what you get when accessing a 'blank' webserver.
router#telnet 10.5.4.150 80 /source-interface fa0/0
Trying 10.5.4.150, 80 ...
% Connection timed out; remote host not responding
same result from fa0/1
When i telnet from my desktop to the webserver the connection is closed and i get:
HTTP/1.1 501 Not Implemented
Content-Length: 54
Content-Type: text/html
The requested method is not implemented by this server
I can't ping the webserver from the router but i can ping it from my desktop. The router can ping my desktop. Both my desktop and my webserver are on the same subnet. I will try and setup a temporary webserver on my desktop for testing purposes.
After i will test this, i will get back with the results.
05-20-2011 02:32 AM
Ok i've setup a webserver on my desktop.
telnet 10.5.4.81 80 /source-interface fa0/1
Trying 10.5.4.81, 80 ... Open
[Connection to 10.5.4.81 closed by foreign host]
telnet 10.5.4.81 80 /source-interface fa0/0
Trying 10.5.4.81, 80 ...
% Connection timed out; remote host not responding
So the outside interface can't connect to the webserver. What's next?
05-20-2011 02:46 AM
Hi,
Good job! Seems we're working well together.
Please post the output of "Router#ping 10.5.4.81 source f0/0".
Please confirm me the connections need to pass through ISA to connect the webserver and your PC. Right?
Toshi
05-20-2011 03:06 AM
ping 10.5.4.81 source fa0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.4.81, timeout is 2 seconds:
Packet sent with a source address of 82.77.196.42
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Yes, they need to pass through the ISA server.
05-20-2011 03:13 AM
Hi,
Time to investigate ISA.
ISA , Policy , From Outside Interface - To - Inside Interface
Permit:
SourceIP:Any | SourcePort:Any
DesticationIP:
HTH,
Toshi
05-20-2011 03:40 AM
Hi, on ISA i have the following policy
Action Protocols From/Listener To condition
Allow All outbound traffic External/Internal/Anywhere 10.5.4.81 all users
After adding one more line to basicaly permit all outbound from external to any internal, i got the following error on my offsite computer:
Error Code 10060: Connection timeout
Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
Date: 5/20/2011 10:33:07 AM [GMT]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide