Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1767
Views
0
Helpful
1
Replies

Problem with NAT config - cant reach internal web server

james
Level 1
Level 1

‎11-17-2013 06:12 AM - edited ‎03-04-2019 09:35 PM

Hi all,

I hope that someone can help me with a problem I seem to have with my cisco config and NAT.

Basically I have 6 valid public IP addresses. I have assigned the first IP to the external interface of router. I have created an IP pool and assigned the last IP to the pool which is used as overload for inetrnal LAN users - dynamic NAT.

I setup static NAT for one internal server using external interface IP and that works great. I then created a static NAT for another internal server using on eif my free public IP addresses.

Now I can ping the second server from the internet and also from within LAN but not from the router itself. I cannot reach the internal server from the internet on any of the ports I opened. When I do a port check from the internet the results tell me that the ports are not closed but filtered?? Anyway main point is that i cant reach the internal web server.

I did a show ip nat translations and can see the internal webserver NAT setup correctly  - when I initiate a connection from internet to internal webserver I can see my outside public IP in the NAT table next to the correct NAT entry on port 80 - I am lost now and cant see what is wrong - can anyone help me please. Many thanks

!

!

interface Loopback0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

interface Null0

no ip unreachables

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description #FTTH VNPT#

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no mop enabled

!

interface GigabitEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

shutdown

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0/0

description LAN$FW_INSIDE$

ip address 192.168.1.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

!

interface Virtual-Template1

description $FW_OUTSIDE$

ip unnumbered FastEthernet0/0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip verify unicast reverse-path

peer default ip address pool defaultpool

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

interface Virtual-Template2 type tunnel

ip unnumbered Dialer0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Dialer0

description #FTTH VNPT#$FW_OUTSIDE$

bandwidth 45000

ip address 113.161.100.113 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1488

ip flow ingress

ip dns view-group Primary

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1448

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username globalhome09dvb password 7 00020A010E515B1200

ppp ipcp dns request

!

interface Dialer1

no ip address

!

ip local policy route-map LocalPolicy

ip local pool defaultpool 10.123.123.1 10.123.123.40

ip forward-protocol nd

!

ip http server

ip http port 8080

ip http authentication local

no ip http secure-server

!

ip dns view Primary

ip dns view Secondary

ip dns view-list Primary

view Primary 1

ip dns view-list Secondary

view Secondary 1

ip dns server

ip nat pool VNPT-public 113.161.100.118 113.161.100.118 netmask 255.255.255.248

ip nat inside source static tcp 192.168.1.4 53389 interface Dialer0 53389

ip nat inside source static tcp 192.168.1.4 9090 interface Dialer0 9090

ip nat inside source static tcp 192.168.1.4 21 interface Dialer0 21

ip nat inside source static tcp 192.168.1.4 5500 interface Dialer0 5500

ip nat inside source static tcp 192.168.1.4 5501 interface Dialer0 5501

ip nat inside source static tcp 192.168.1.4 5502 interface Dialer0 5502

ip nat inside source static tcp 192.168.1.4 5503 interface Dialer0 5503

ip nat inside source static tcp 192.168.1.4 5504 interface Dialer0 5504

ip nat inside source static tcp 192.168.1.4 5505 interface Dialer0 5505

ip nat inside source static tcp 192.168.1.4 22 interface Dialer0 22

ip nat inside source static tcp 192.168.1.4 990 interface Dialer0 990

ip nat inside source static tcp 192.168.1.4 8181 interface Dialer0 8181

ip nat inside source static tcp 192.168.1.4 444 interface Dialer0 444

ip nat inside source static tcp 192.168.1.4 80 interface Dialer0 80

ip nat inside source list 10 pool VNPT-public

ip nat inside source static tcp 192.168.1.2 25 113.161.100.114 25 extendable

ip nat inside source static tcp 192.168.1.2 80 113.161.100.114 80 extendable

ip nat inside source static tcp 192.168.1.2 443 113.161.100.114 443 extendable

ip nat inside source static tcp 192.168.1.2 2222 113.161.100.114 2222 extendable

ip nat inside source static tcp 192.168.1.2 3389 113.161.100.114 3389 extendable

ip default-network 192.168.1.0

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip access-list extended NAT

permit ip 10.123.123.0 0.0.0.255 any

permit ip 113.161.100.0 0.0.0.255 any

ip access-list extended in-from-world

permit tcp any any eq ftp

permit tcp any any range 5500 5505

!

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.1.0 0.0.0.255 93.107.38.0 0.0.0.255

!

Labels:
0 Helpful
1 Reply 1

marioderosa2008
Level 1
Level 1

‎11-17-2013 02:39 PM

One thing is that you are not using PAT... so you have set up a one to one mapping for all internal clients when they access the internet and you only have a pool of 8 addresses...

from what i can see you are not using overload...

i would replace the line "ip nat inside source list 10 pool VNPT-public" with "ip nat inside source list 10 interface dialer0 overload" also remove the line "permit ip 113.161.100.0 0.0.0.255 any" from ACL 10...

then on all of your static NATs, rather than using the dialer0 as the global address, you want to specify a free IP in the block of 8 (apart from IP of dialer0 of course)

so, "ip nat inside source static tcp 192.168.1.4 53389 interface Dialer0 53389" should be "ip nat inside source static tcp 192.168.1.4 53389 113.161.100.115 53389" like you have done for the 192.168.1.2 statements...

Mario

0 Helpful
Customers Also Viewed These Support Documents