cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2038
Views
5
Helpful
20
Replies

Redirect port 80 for a device on LAN

trucicator
Level 1
Level 1

Hello,

I have a STB which need to access to file on the router.

Because I replaced the ISP Routeur by a CISCO one I need to redirect port 80 coming from STB to Router (which is a default gateway) to a local HTTP server.

STB : 192.168.1.3
Router : 192.168.1.254
HTTP Server : 192.168.1.21

WAN port : g0/0/1

 

interface GigabitEthernet0/0/1
 ip dhcp client class-id ISP_CLASS
 ip address dhcp
 ip nat outside
 ip access-group WAN-FIREWALL in
 media-type rj45
 negotiation auto
 spanning-tree portfast
end

 


VLAN : 1

 

interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip dns view-group internallist
 ip nat inside
end

 


STB port : g0/1/6
HTTP Server port : g0/1/3

 

interface GigabitEthernet0/1/3
 switchport mode access
end
interface GigabitEthernet0/1/6
 switchport mode access
end

 

Is there any way to redirect traffic coming from 192.168.1.3 (g0/1/6) to 192.168.1.254 (vlan 1) for port 80 to 192.168.1.21 (g0/1/3) on port 80 ?

PS : I have a C1111-8P Router

Thanks in advance

20 Replies 20

balaji.bandi
Hall of Fame
Hall of Fame

Try below and test it :

ip access-list extended 110
permit tcp host 192.168.1.3 host 192.168.1.254 eq 80

route-map http-redirect permit
match ip address 110
set ip 192.168.1.21

interface vlan 1
ip policy route-map http-redirect

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks Balaji for your answer.

I tried the following command however it is not working on set ip

 

C1111-8P(config-route-map)#set ip ?
  address      Specify IP address
  default      Set default information
  destination  Summary address to advertise
  df           Set DF bit
  global       global routing table
  next-hop     Next hop address
  precedence   Set precedence field
  qos-group    Set QOS Group ID
  tos          Set type of service field
  vrf          VRF name

C1111-8P(config-route-map)#set ip address ?
  prefix-list  Specify prefix-list

 

I tried those commands (using 192.168.1.10 instead of 192.168.1.3, in order to make test HTTP request from PC)

 

ip access-list extended acl-stb-http-redirect
 permit tcp host 192.168.1.10 host 192.168.1.254 eq 80

route-map route-map-stb-http-redirect permit
 match ip address acl-stb-http-redirect
 set ip destination 192.168.1.21 255.255.255.0

interface Vlan1
 ip policy route-map route-map-stb-http-redirect

 

I got this warning after set ip destination :

 

 *Nov 30 13:50:14.459: %PARSER-5-HIDDEN: Warning!!! ' set ip destination 192.168.1.21 255.255.255.0 ' is a hidden command. Use of this command is not recommended/supported and will be removed in future.

 

 

I also tried using

C1111-8P(config-route-map)#set ip next-hop 192.168.1.21

without success

Can you post show version from device.

 

set ip default next-hop 192.168.1.21

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

C1111-8P(config)#do sh version
Cisco IOS XE Software, Version 17.08.01a
Cisco IOS Software [Cupertino], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version 17.8.1a, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 20-Apr-22 13:12 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2022 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: 17.5(1r)

C1111-8P uptime is 3 days, 9 hours, 9 minutes
Uptime for this control processor is 3 days, 9 hours, 10 minutes
System returned to ROM by PowerOn
System image file is "bootflash:c1100-universalk9.17.08.01a.SPA.bin"
Last reload reason: PowerOn



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.



Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite                 Suite Current         Type           Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9     FoundationSuiteK9     Smart License  FoundationSuiteK9
securityk9
appxk9


Technology Package License Information:

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
appxk9           None             Smart License    None
uck9             uck9             Smart License    uck9
securityk9       None             Smart License    None
ipbase           ipbasek9         Smart License    ipbasek9

The current throughput level is unthrottled


Smart Licensing Status: Smart Licensing Using Policy

cisco C1111-8P (1RU) processor with 1355460K/6147K bytes of memory.
Processor board ID FCZ2516R2KH
Router operating mode: Autonomous
4 Virtual Ethernet interfaces
10 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
2863103K bytes of flash memory at bootflash:.

Configuration register is 0x2102

i will look any syntax changed, can you tried suggested option

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I tried but the HTTP request is still not working :

C1111-8P(config)#do sh ip access-list acl-stb-http-redirect
Extended IP access list acl-stb-http-redirect
    10 permit tcp host 192.168.1.10 host 192.168.1.254 eq www

C1111-8P(config)#do sh route-map route-map-stb-http-redirect
route-map route-map-stb-http-redirect, permit, sequence 10
  Match clauses:
    ip address (access-lists): acl-stb-http-redirect
  Set clauses:
    ip default next-hop 192.168.1.21
  Policy routing matches: 19 packets, 2408 bytes

C1111-8P(config)#do sh run int vlan 1
Building configuration...

Current configuration : 182 bytes
!
interface Vlan1
 description Principal
 ip address 192.168.1.254 255.255.255.0
 ip dns view-group internallist
 ip nat inside
 ip policy route-map route-map-stb-http-redirect
end

Is the destination IP rewrited?

Is the return packed filtered?

how are you testing from client you type HTTP://192.168.1.254 - that should go to 192.168.1.21 right ?

i see some packets match, is the port listening on 192.,168.1.21 on port 80 ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes it is a GET of http://192.168.1.254/api/1.0/?method=system.getInfo from 192.168.1.10

this is API information, not sure what you trying to do here, your requirement is port 80 redirect to 192.168.1.21 right ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes 192.168.1.21 will answer to the request as 192.168.1.254.

It is because the STB is using the default gateway to make this request.

If it change the default gateway to .21, there is no more routing and no internet to STB but only web service.

21 ok.jpg254 nok.jpg

So rule is matching but the rerouting is unsuccessful

In the server log, there no request incoming to HTTP server when a .254 request is made but there is when a .21 request is made

Log when .21 is called :

192.168.1.10 - - [01/Dec/2022:23:09:02 +0000]  200 "GET /api/1.0/?method=system.getInfo HTTP/1.1" 511 "-" "PostmanRuntime/7.6.0" "-"

that look odd - i have not tested on the same subnet redirect (will require some testing here) when I get chance I will do testing in lab and let you know.

enable debug on .254  see is the redirection table place..

as per output - it has some hits :

  Policy routing matches: 19 packets, 2408 bytes

or this could be bug.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I tried to name the acl "177" in order to make a debug :

# do debug ip policy 177
Policy routing debugging is on for access list 177
C1111-8P(config)#do sh route-map all
STATIC routemaps
route-map route-map-stb-http-redirect, permit, sequence 10
  Match clauses:
    ip address (access-lists): 177
  Set clauses:
    ip default next-hop 192.168.1.21
  Policy routing matches: 10 packets, 660 bytes
DYNAMIC routemaps
Current active dynamic routemaps = 0

But nothing happen in the log

Review Cisco Networking for a $25 gift card