02-08-2012 06:38 AM - edited 03-04-2019 03:11 PM
Hi Guys,
Ok i'm new to working with Routers (in the real world)
So i have a client who needs to access an internal server to access a web service. The web service should also be available to two ip address's (lets say 198.1.1.1 & 198.1.1.3) The Web Service uses port 80.
Ok so i entered a nat statement as follows:
ip nat inside source static tcp 192.168.1.5 80 interface dialer 0 80
This worked fine but all WAN ip address can access the webservice. I was thinking of creating an access list to tie down port 80 to the two wan addresses but then internal hosts will not be able to browse the internet.
Anybody have any ideas?
I'm thinking that i should be using a different port number for the webservice but not sure how to change it or what do do in the nat statment.
Please help
Kind regards
Leon
02-08-2012 03:21 PM
If you have 2 public ip addresses why not use one for those 2 hosts you need and the other one for all other hosts to go surfing the net.
If your webService is at 192.1.1.1
access-list 102 permit tcp host 192.168.1.5 80 host 192.1.1.1 eg 80
access-list 102 permit tcp host 192.168.1.6 80 host 192.1.1.1 eg 80
ip nat inside source list 102 interface dialer0 overload
ip nat inside source static 192.168.1.0 255.255.255.0 192.1.1.3 overload
Hope this helps
Eugen
02-09-2012 02:57 AM
Hi Lads,
Alain i have tried what you mentioned...All configuration went onto the router fine. Put i am still having trouble locking the outside global address down.
Below is my nat configuation:
ip nat inside source static 192.168.1.5 x.x.x.x route-map Web_Service
// x.x.x.x = WAN ip of the site that i am configuring the router
access-list 102 permit tcp host 198.0.0.1 any eq 80
access-list 102 permit tcp host 198.0.0.2 any eq 80
route-map Web_Service permit 10
match ip address 102
-----------------------------------------------------------------------------------------------------------
Using the above configuration the Web Service can be accessed by any WAN ip address. The above statment did not lock the Remote WAN ip addresses down (198.0.0.1 & 198.0.0.2)
If the remove the nat statement the Web Service becomes offline.
Thanks again lads for all your help.
I think we are nearly there...maybe ACL needs to be tweaked?
Regards
Leon
02-09-2012 06:19 AM
Hi,
I had never implemented such a feature and I thought it would work but I tried it on GNS3 and I fiddled with it but couldn't achieve your goal.
Definitely the stateful firewall option seems the easier one and I'm sure it will work.
if you want a config I will provide it but you have to tell me which traffic you want from outside to inside and also which traffic originated by the router you want.(tell me if you want both CBAC and ZBF or only one of them).
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide