Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
906
Views
0
Helpful
2
Replies

Opening ports on a Cisco ISR1100 - please help.

Go to solution
Bjerremann
Level 1
Level 1

‎01-19-2022 07:13 AM - last edited on ‎01-22-2022 04:43 AM by Community Manager

Hey everyone.

I'm new here, and trying to learn.

I recently aquired an Cisco ISR1100 (basic license) and I got it set up for normal internet traffic.
But i'm struggling with getting ports opened for my server on the inside.
I've tried messing around with different configurations on the

 ip route and acl's,

but to no avail.
I hope you can help me figure out, what i'm doing wrong.

I'm trying to get traffic through from VLAN101 (outside), to my VLAN777 (inside) where I have an HTTPS server running.

I have tried placing the ACL "SEC-OPEN" on VLAN777, VLAN101, all physical interfaces and even on my NAT - but nothing changes. It keeps on telling me that the connection was refused, when pinging my internal devices, from outside.

Thanks in advance.

My configuration is as follows:

R1-1100#show run
Building configuration...


Current configuration : 8337 bytes
!
! Last configuration change at 23:34:32 UTC Sun Jan 16 2022
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname R1-1100
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 XXXXXXXX
!
no aaa new-model
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name R1-1100
ip dhcp excluded-address 192.168.0.255 255.255.255.255
ip dhcp excluded-address 192.168.0.1 192.168.0.100
!
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4
lease 30
!
!
!
no ip dhcp auto-broadcast
login on-success log
!
!
!
!
!
!
!
subscriber templating
vtp mode transparent
multilink bundle-name authenticated
!
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username XXXXXXXX privilege 15 secret 9 XXXXXXXX
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
vlan 101,777
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description *** NOT USED ***
ip address dhcp
ip nat outside
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1
description *** ISP ***
no ip address
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1.101
description *** VLAN101 ***
encapsulation dot1Q 101
ip address dhcp
ip nat outside
!
interface GigabitEthernet0/1/0
description *** LAN ***
switchport access vlan 777
switchport mode access
!
interface GigabitEthernet0/1/1
description *** LAN ***
switchport access vlan 777
switchport mode access
!
interface GigabitEthernet0/1/2
description *** LAN ***
switchport access vlan 777
switchport mode access
!
interface GigabitEthernet0/1/3
description *** LAN ***
switchport access vlan 777
switchport mode access
!
interface GigabitEthernet0/1/4
description *** LAN ***
switchport access vlan 777
switchport mode access
!
interface GigabitEthernet0/1/5
description *** LAN ***
switchport access vlan 777
switchport mode access
!
interface GigabitEthernet0/1/6
description *** LAN ***
switchport access vlan 777
switchport mode access
!
interface GigabitEthernet0/1/7
description *** LAN ***
switchport access vlan 777
switchport mode access
!
interface Vlan1
description *** NATIVE ***
no ip address
!
interface Vlan101
description *** ISP ***
no ip address
!
interface Vlan777
description *** LAN ***
ip address pool LAN
ip nat inside
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list SEC-INTERNET interface GigabitEthernet0/0/1.101 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1.101 dhcp
ip ssh maxstartups 2
ip ssh rsa keypair-name SSH
!
!
ip access-list extended SEC-INTERNET
10 permit ip 192.168.0.0 0.0.0.255 any
20 deny ip any any
ip access-list extended SEC-OPEN
10 permit ip any any
ip access-list extended SEC-SERVER
10 permit ip host 192.168.0.55 any
20 permit ip any host 192.168.0.55
30 deny ip any any
ip access-list extended SEC-VTY
10 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq 22
20 deny ip any any
!
!
!
!
!
control-plane
!
!
line con 0
privilege level 15
logging synchronous
length 0
transport input none
stopbits 1
line vty 0 4
access-class SEC-VTY in
logging synchronous
login local
length 0
transport preferred ssh
!
ntp server time.google.com
!
!
!
!
!
end

R1-1100#

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnd2310
Level 8
Level 8

‎01-19-2022 09:41 PM - last edited on ‎01-21-2022 02:29 AM by Community Manager

Hi,

To allow access from outside to your server on the inside, static nat is required. If your web server is 192.168.0.55, the the nat statement will be:

ip nat inside source static tcp 192.168.0.55 443 interface GigabitEthernet0/0/1.101 443

 

Thanks

John

**Please rate posts you find helpful**

View solution in original post

0 Helpful
2 Replies 2

Go to solution
johnd2310
Level 8
Level 8

‎01-19-2022 09:41 PM - last edited on ‎01-21-2022 02:29 AM by Community Manager

Hi,

To allow access from outside to your server on the inside, static nat is required. If your web server is 192.168.0.55, the the nat statement will be:

ip nat inside source static tcp 192.168.0.55 443 interface GigabitEthernet0/0/1.101 443

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Bjerremann
Level 1
Level 1
In response to johnd2310

‎01-19-2022 09:56 PM

Thank you so much, John... That worked


-Morten

0 Helpful
Customers Also Viewed These Support Documents