NAT translation problem CISCO 836,company web site not seen from ouside

csakosadmin · ‎05-10-2005

Hi all,

We are having CISCO 836 and Micrsoft SBS 2k3 server. I am trying to configure router so it would be able to allow outside world accessing our web pages on the SBS server (in mz configuration I am using DNS servers provided by my ISP).

After applying NAT translation, the only thing I can do right now is accessing our web pages localy from e.g. 192.168.1.12 (web server is on IP address 192.168.1.5 port 80)

What I don't know is why I cannot reach our web site from outside company? Also, I will setup Exchange server on SBS server and would like to know if there is anything else to consider other than port forwading?

Applying sh ip nat trans ... router responds

router#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 213.250.XX.XX:80 192.168.1.5:80 --- ---

tcp 213.250.XX.XX:2942 192.168.1.5:2942 193.x.x.11:53 193.189.160.11:53

tcp 213.250.XX.XX:2943 192.168.1.5:2943 193.x.x.11:53 193.189.160.11:53

What I don't understand is why in second line there is tcp 213.250.X.X port 2942 instead of 213.250.X.X port 80 ?

... bellow is router configuration:

Current configuration : 3937 bytes

!

! Last configuration change at 02:29:55 CEST Tue May 10 2005

! NVRAM config last updated at 02:48:14 CEST Tue May 10 2005

!

version 12.3

........

ip dhcp pool CLIENT

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 193.x.x.11 193.189.160.12

lease 0 2

!

...............

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip access-group 122 out

ip nat inside

!

interface BRI0

no ip address

shutdown

!

interface ATM0

no ip address

atm ilmi-keepalive

pvc 1/32

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface FastEthernet1

no ip address

duplex auto

speed auto

.........

interface Dialer1

ip address negotiated

ip access-group 111 in

ip nat outside

ip inspect myfw out

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname <removed>

ppp chap password 0 <removed>

ppp pap sent-username <removed> password 0 <removed>

!

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.5 80 interface Dialer1 80

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 111 permit tcp any any eq telnet

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any log

access-list 122 deny tcp any any eq telnet

access-list 122 permit ip any any

dialer-list 1 protocol ip permit

!

line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

!

end

Georg Pauwen · ‎05-10-2005

Hello,

try and add the following to your access list 111:

access-list 112 permit udp any any eq domain

access-list 112 permit udp any eq domain any

access-list 112 permit tcp any any eq domain

access-list 112 permit tcp any eq domain any

and check if that makes a difference.

Regards,

GP

csakosadmin · ‎05-10-2005

Hi there,

I have tried, however I think using

SH IP NAT TRANSLATION

still shows wrong ports for example:

router#sh ip nat translation

Pro Inside global Inside local Outside local Outside global

tcp 213.250.XX.XX:80 192.168.1.5:80 --- ---

tcp 213.250.XX.XX:1795 192.168.1.13:1795 206.24.172.62:80 206.24.172.62:80

tcp 213.250.XX.XX:1821 192.168.1.13:1821 206.24.172.62:80 206.24.172.62:80

udp 213.250.XX.XX:4533 192.168.1.14:4533 193.189.160.11:53 193.189.160.11:53

Shouldn't it be the case that under inside global in the second line I should get something like 213.250.XX.XX:80 and that translated to 206.24.172.62:80 which is the outside virtual address of router?

I will try to access the page from my home in about an hour!

Another question, is there anything wrong if I use DNS addresses provided by my ISP even though we are using our own SBS server on our company location?

Thanks in advance and rgds!

Ales

csakosadmin · ‎05-10-2005

I have tried to connect from my home however it doesn't connect .. it responds .. cannot find web page.

Also, why cannot I define two access-groups in my Dilaer 1? I have tried to apply 112 like you said, but then 111 got erased? Should I maybe define that (what I wrote) in access-group 111 or should I redifne my whole access list goup and combine that in 1?

I think what you wrote is ok, however I still need ports 80 in my SH IP NAT TRANSLATION command.

Best regards,

Ales

csakosadmin · ‎05-10-2005

My bad, I red your text poorly so please ignore previous replies!!! I missed 111... I will change like you wrote!

I will test router once again later.

Regards!

Ales

csakosadmin · ‎05-10-2005

Hello again,

I have tried to add it to access-list 111, but no luck, the site is still not reachable.

My access list is not the following:

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.5 80 interface Dialer1 80

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 111 permit tcp any any eq telnet

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any log

access-list 111 permit udp any any eq domain

access-list 111 permit tcp any any eq domain

access-list 111 permit tcp any eq domain any

access-list 122 deny tcp any any eq telnet

access-list 122 permit ip any any

dialer-list 1 protocol ip permit

Also when outside computer tries to access www.company.com, DEBUG IP NAT DETAILED SHOWS the following:

May 10 18:44:15.053: %SEC-6-IPACCESSLOGP: list 111 denied tcp 66.63.172.138(2198) -> 213.250.XX.XX(25), 3 packets

May 10 18:44:15.053: %SEC-6-IPACCESSLOGP: list 111 denied tcp 195.210.255.164(4039) -> 213.250.XX.XX(80), 2 packets

May 10 18:45:18.537: %SEC-6-IPACCESSLOGP: list 111 denied tcp 213.250.60.136(2720) -> 213.250.XX.XX(445), 1 packet

May 10 18:45:18.537: %SEC-6-IPACCESSLOGP: list 111 denied tcp 195.210.255.164(4078) -> 213.250.XX.XX(80), 2 packets

May 10 18:45:18.537: %SEC-6-IPACCESSLOGP: list 111 denied tcp 195.210.255.164(4083) -> 213.250.XX.XX(80), 2 packets

May 10 18:47:30.465: %SEC-6-IPACCESSLOGP: list 111 denied tcp 213.250.16.141(2835) -> 213.250.XX.XX(445), 1 packet

May 10 18:48:08.377: %SEC-6-IPACCESSLOGP: list 111 denied tcp 213.250.16.141(2835) -> 213.250.XX.XX(445), 1 packet

May 10 18:49:21.765: %SEC-6-IPACCESSLOGP: list 111 denied tcp 213.250.60.136(4005) -> 213.250.XX.XX(445),...........etc

For example why the address 213.250.XX.XX port 445 is requested if it is the case that the request is made for port 80 (requesting TCP web site) , isn't it the case that we are translating the address and not ports?

It seems to me that somehow I am not translating the right ports,...any sugestions, anyone?

Rgds,

Ales

csakosadmin · ‎06-22-2005

Jut to let you know, the catch is in command as follows:

access-list 111 permit tcp any any eq www

in case your ISP allows port 80, otherwise one has to specify some other port E.g. port: 81

And that is all to it. Problem wass resolved!

Rgds,

csakos

jsdeprey · ‎06-22-2005

Do you mean that your ISP does not allow port 80 inbound so you had to move your webserver and inbound NAT to 81?

csakosadmin · ‎06-22-2005

Nope, my ISP allows port 80. What I ment was that in case ISP (any ISP) doesn't allow port 80, the access list needs to be formed for another port (E.g. 81) and not port 80.

I have post my answer today incase person with same problems as me can see where and what is the problem in configuration.

Rgds,

csakos