In theory what we added to

johnny_5 · ‎02-20-2015

I'm trying to get to my Apache web server that I have successfully set up on my network from the outside using the public IP 12.218.xxx.xx2

I can get to the server via 192.168.2.32 on my network with no issue.

Shouldn't using "extendable" allow users to access it or do I need to specify the port ID/number?

I have included part of the config below.

Any help would be appreciated, thanks

interface FastEthernet0/0
ip address 12.218.xxx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
service-policy output physical
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description LAN
encapsulation dot1Q 1 native
ip address 192.168.2.254 255.255.254.0
ip access-group 120 in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly

!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.218.xxx.xxx
ip route 10.5.5.0 255.255.255.0 10.5.1.1
ip route 10.10.0.0 255.255.255.0 172.17.0.5
ip route 10.10.200.0 255.255.255.0 172.17.0.5
ip route 10.14.0.0 255.255.0.0 192.168.2.1

!
ip flow-top-talkers
top 20
sort-by bytes
cache-timeout 3000
!
ip nat inside source list 2 interface FastEthernet0/0 overload
ip nat inside source static 192.168.2.32 12.218.xxx.xx2 extendable
!
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 10.5.5.0 0.0.0.255
access-list 2 permit 10.5.1.0 0.0.0.255
access-list 2 permit 10.27.131.0 0.0.0.255
access-list 2 permit 10.27.129.0 0.0.0.255
access-list 2 permit 172.17.0.0 0.0.0.255
access-list 2 permit 192.168.50.0 0.0.0.255
access-list 2 permit 12.218.xxx.xxx 0.0.0.7
access-list 120 permit tcp host 192.168.2.23 any eq smtp
access-list 120 permit tcp host 192.168.2.27 any eq smtp
access-list 120 permit tcp host 192.168.3.201 any eq smtp
access-list 120 permit tcp host 192.168.2.13 any eq smtp
access-list 120 deny tcp any any eq smtp
access-list 120 permit ip 192.168.2.0 0.0.1.255 any
access-list 120 permit ip 10.27.131.0 0.0.0.255 any
access-list 120 permit ip 10.27.129.0 0.0.0.255 any
access-list 120 permit ip 10.27.130.0 0.0.0.255 any
access-list 120 permit ip 10.10.200.0 0.0.0.255 any
access-list 120 permit ip 10.10.0.0 0.0.0.255 any
access-list 120 permit ip 172.17.0.0 0.0.0.255 any
access-list 120 permit udp any any eq bootps
access-list 120 permit udp any any eq bootpc
access-list 120 permit ip 192.168.50.0 0.0.0.255 any
access-list 120 permit ip host 12.218.xxx.xx2 any
access-list 120 permit ip any host 12.218.xxx.xx2
access-list 150 permit ip any 192.168.50.0 0.0.0.255
access-list 150 permit ip 192.168.50.0 0.0.0.255 any

Jon Marshall · ‎02-20-2015

John

If the issue is that you want your internal clients to be able to access the server on it's public IP then it is nothing to do with the "extendable" keyword.

If that is the problem then personally if at all possible I would always have internal clients using the internal IP address although this does assume you have internal DNS.

However if you do want that you can use something called NAT loopback to try and solve your problem.

I have never used it and it can be tricky to say the least to setup according to the comments in the following thread but I think with IOS this is your only option -

https://supportforums.cisco.com/discussion/11734176/nat-loopback

if that is not your issue then please clarify.

Jon

johnny_5 · ‎02-20-2015

Thanks for the replies.

To clarify - the web server was set up just to get the routing working. Eventually the IP address will be assigned to a report printer for external customers to be able to print off reports for test purposes. Our test involved getting the internal IP to reply - which worked.

The main usage will by the external customers using the public IP 12.218.xxx.xx2.

I thought there may be an issue with the ACLs I have put on the router?

rizwanr74

I will add your "ip nat inside..."line indicating port 80...should I remove the 2 ACL entries in order for this to work?

rizwanr74 · ‎02-21-2015

Hi John,

That is correct you don't need them, besides you have more explicit permit lines for internal subnets to any and so internal to external nat will allow return traffic to come back.

access-list 120 permit ip host 12.218.xxx.xx2 any
access-list 120 permit ip any host 12.218.xxx.xx2

Hope that answers your question

johnny_5 · ‎02-23-2015

I removed the 2 entries form the access list 120.

Modified the NAT statement but am still having no luck hitting the site from the outside.Still investigating here.

rizwanr74 · ‎02-23-2015

Hi John,

Please try these lines.

ip inspect name FW tcp
ip inspect name FW udp

access-list 101 permit tcp any host 12.218.xxx.xx2 eq 80

interface FastEthernet0/0
ip inspect FW in
ip access-group 101 in

If this does not work, you may want to check with your ISP, to find out whether there is a routing problem from their side.

thanks

Rizwan Rafeek.

johnny_5 · ‎02-24-2015

In theory what we added to the router should have worked. Luckily I had another 1900 here and used that IP on the interface along with the rest of the commands and ACLs.

It worked right away believe it or not so I don't know what exactly is the problem with main GW router. We are continuing to investigate

Thanks for all your help!

rizwanr74 · ‎02-20-2015

You might want to narrow down to port level translation rather than allowing all ports through IP to IP translation.

ip nat inside source static tcp 192.168.2.32 80 12.218.xxx.xx2 80 extendable

it is ok to keep IP to IP internally.

Hope this helps.

thanks

NAT problem???