cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2741
Views
0
Helpful
17
Replies

NAT Problem_Accessing Internal WebService

Leonireland_2
Level 1
Level 1

Hi Guys,

Ok i'm new to working with Routers (in the real world)

So i have a client who needs to access an internal server to access a web service. The web service should also be available to two ip address's (lets say 198.1.1.1 & 198.1.1.3) The Web Service uses port 80.

Ok so i entered a nat statement as follows:

ip nat inside source static tcp 192.168.1.5 80 interface dialer 0 80

This worked fine but all WAN ip address can access the webservice. I was thinking of creating an access list to tie down port 80 to the two wan addresses but then internal hosts will not be able to browse the internet.

Anybody have any ideas?

I'm thinking that i should be using a different port number for the webservice but not sure how to change it or what do do in the nat statment.

Please help

Kind regards

Leon

17 Replies 17

ebarticel
Level 4
Level 4

If you have 2 public ip addresses why not use one for those 2 hosts you need and the other one for all other hosts to go surfing the net.

If your webService is at 192.1.1.1

access-list 102 permit tcp host 192.168.1.5 80 host 192.1.1.1 eg 80

access-list 102 permit tcp host 192.168.1.6 80 host 192.1.1.1 eg 80

ip nat inside source list 102 interface dialer0 overload

ip nat inside source static 192.168.1.0 255.255.255.0 192.1.1.3 overload

Hope this helps

Eugen

Hi Lads,

Alain i have tried what you mentioned...All configuration went onto the router fine. Put i am still having trouble locking the outside global address down.

Below is my nat configuation:

ip nat inside source static 192.168.1.5 x.x.x.x route-map Web_Service

// x.x.x.x = WAN ip of the site that i am configuring the router

access-list 102 permit tcp host 198.0.0.1 any eq 80

access-list 102 permit tcp host 198.0.0.2 any eq 80

route-map Web_Service permit 10

match ip address 102

-----------------------------------------------------------------------------------------------------------

Using the above configuration the Web Service can be accessed by any WAN ip address. The above statment did not lock the Remote WAN ip addresses down (198.0.0.1 & 198.0.0.2)

If the remove the nat statement the Web Service becomes offline.

Thanks again lads for all your help.

I think we are nearly there...maybe ACL needs to be tweaked?

Regards

Leon

Hi,

I had never implemented such a feature and I thought it would work but I tried it on GNS3 and I fiddled with it but couldn't achieve your goal.

Definitely the stateful firewall option seems the easier one and I'm sure it will work.

if you want a config I will provide it but you have to tell me which traffic you want from outside to inside and also which traffic originated by the router you want.(tell me if you want both CBAC and ZBF or only one of them).

Regards.

Alain

Don't forget to rate helpful posts.