05-19-2011 02:51 AM - edited 03-04-2019 12:27 PM
Hello Cisco comunity
I am trying to configure NAT to route trafic from outside port to an inside webserver but i keep failing. After a month of reading forums i decided to ask for help here.
The inside/outside interfaces are defined and working.
I tryed to route trafic received on outside interface on port 5555 to an internal webserver on port 80 but failed. Here is the command i used:
ip nat inside source static tcp <ip_of_webserver> 80 interface fastEthernet 0/0 5555
fa0/0 is the outside interface
fa0/1 is the inside interface
do i need to route trafic from fa0/0 to fa0/1 and then from fa0/1 to my webserver? Do i need to setup an ACL?
Any help would be apreciated.
05-20-2011 03:51 AM
Hi,
Router#telnet 10.5.4.81 80 /source-interface fa0/0 should work correctly first. How is it?
Toshi
05-20-2011 03:51 AM
What is the default-gateway set to on the client that you can ping from the router and on the web server that you can't ping from the router ?
Jon
05-20-2011 04:15 AM
telnet 10.5.4.81 80 /source-interface fa0/0
Trying 10.5.4.81, 80 ...
% Connection timed out; remote host not responding
The default gateway on all internal computers is the switch between the router and the ISA server. The ISA server connects to the gateway switch. It's ip is 10.5.4.1 if that is relevant.
The gateway error i posted earlier is not from the internal network. That error comes from an external computer, generated by their firewall.
05-20-2011 04:19 AM
The basic issue seems to be you can ping your desktop from the router but not the web server. If you do not have basic connectivity from the router to the web server then NAT, port forwarding, telnet etc. are really just red herrings.
You first need to work out why you do not have basic connectivity from the router to the web server.
Can you ping the web server from the switch between the router and ISA server ?
Jon
05-20-2011 04:27 AM
Hi
in an earlier post i said i've setup a new webserver, on my desktop. I can ping the new webserver (my desktop) from any interface. I can telnet to it from the internal fa0/1 interface but i can't telnet to it from the external fa0/0 interface. I have a rule in my ISA server that allows the trafic but it still doesn't work.
Basicaly, i must make telnet 10.5.4.81 80 /source-interface fa0/0 work and i think my problem will be over. Since i can ping 10.5.4.81 from fa0/0 but i can't telnet from fa0/0, i think my requests are geting droped.
05-20-2011 04:30 AM
Is there anyway you can temporarily bypass the ISA server to test.
05-20-2011 04:37 AM
Well, to 'bypass' the ISA server i added a rule that basicaly allows all outside trafic to any inside destination; so i've cut ISA out of the picture. No results tho. Still can't telnet even tho i can ping.
05-20-2011 04:52 AM
I meant physically bypass it. Sometimes simply adding a rule to a device does not always have the intended effect and as you can connect from a client in the same subnet i thought it might be a valid test.
Can i just check the topology -
the client and web server have a default-gateway on the switch so the switch is a L3 switch yes ?
The switch then has a default-route pointing to the LAN interface of the router ?
How does traffic actually get sent through the ISA server - is the ISA server in effect between the switch and router in terms of traffic path or do you redirect traffic to ISA server ? It's not clear what part the ISA server plays in forwarding traffic between the router and the client/webserver.
Jon
05-20-2011 05:12 AM
Can't physically bypass it. Removing the ISA server would result in no internet access.
Yes, the switch is a L3 switch. It has multiple vlans and it's a core switch. It routes all trafic to fa0/1 and some trafic to the DHCP server.
The router connects to port 1 in SW1; port 1 is in vlan 200. The ISA server connects to port 3 in SW1; port 3 is also in vlan 200. Vlan 200 is the to-nat vlan. Trafic comes from router to SW1 port 1, exists on SW1 port 3 to the ISA server, enters on external_network_card, gets processed, exists the server on internal_network_card, enters SW1 on vlan3 port22 (vlan3 is the servers vlan).
05-20-2011 05:25 AM
Okay, in previous post you said the default-gateway for all internal computers was the switch. You say in this post that the ISA server has an interface on vlan 3 which is the server vlan.
You also setup a client in vlan 3 to test with. So how does traffic go through the ISA server. If the default-gateway for the web server is vlan 3 L3 interface on the switch then it would then just be routed to the router.
Where i am confused is that if the switch is routing how do you force traffic through the ISA server. If the ISA server is acting as proxy outbound then that would take care of outbound internet requests from clients. B ut for inbound requests how do you ensure traffic is simply not routed by the L3 switch ?
Is the ISA server acting as a proxy server ?
Jon
05-20-2011 05:45 AM
Actualy no, i haven't setup a client in vlan3 to test with. The client is in Vlan4, the client vlan. The ISA server is connected to 2 interfaces, one in vlan200 (to-nat vlan) and one in vlan3 (the servers vlan). The default gateway for all clients is vlan4 10.5.4.1 on SW1. All outbound trafic goes through ISA but i'm unsure how inbound trafic goes through ISA if it does at all.
I haven't setup this topology, i'm just trying to make heads or tails out of it and fix some problems.
05-20-2011 05:51 AM
Can you post "sh ip route" from your router ?
Jon
05-20-2011 05:06 AM
Couple of other things to check -
1) you mentioned something about bittorrent on your router. Can you turn that off while testing
2) do you know if the router is forwarding the packet on or not ? If we still don't know that we can use an acl on the LAN interface of the router eg.
access-list 101 permit tcp any host
access-list 101 permit ip any any
int fa0/1
ip access-group 101 out
when you then try to telnet from fa0/0 it should at least show us if you get any hits on the first line in acl 101
Jon
05-20-2011 05:32 AM
I turned it off, no change.
I don't know if the router is forwarding the packet or not.
After adding ACL 101 like you said, i got no hits on: "permit tcp any host 10.5.4.81 eq www" but i got hits on: "permit ip any any"
05-20-2011 05:38 AM
carpovalexandru123 wrote:
I turned it off, no change.
I don't know if the router is forwarding the packet or not.
After adding ACL 101 like you said, i got no hits on: "permit tcp any host 10.5.4.81 eq www" but i got hits on: "permit ip any any"
Did you try connecting from client on internet ie. not the outside router interface ?
If not, can you try as this would tell us if the router was actually forwarding the packet on. If it wasn't we could then at least narrow the issue down to the router.
You will see lots of hits on the permit ip any any line. That line is there simply to make sure we don't break anything ie. stop access.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide