Solved: Re:Static Nat - access local web server via internet - Page 2

modal · ‎09-29-2013

Hi,

I'm trying to enable acces of my local web server over the internet

I can access the server locally via the ip address (http://192.168.1.7) on port 80

I have created an A record and pointed it to the public IP address x.x.x.76, which is within a block with my main public ip for internet x.x.x.74

However, when i try to access the web server over the internet, i fail

I have attached my router config

Using 4396 out of 262136 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname test

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no logging console

!

no aaa new-model

!

ip cef

!

ip dhcp pool TEST

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 4.2.2.2

!

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

multilink bundle-name authenticated

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

ip address x.x.x.74 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248

ip nat inside source list 23 pool TEST overload

ip nat inside source static tcp 192.168.1.3 25 x.x.x.74 25 extendable

ip nat inside source static tcp 192.168.1.3 110 x.x.x.74 110 extendable

ip nat inside source static tcp 192.168.1.3 443 x.x.x.74 443 extendable

ip nat inside source static tcp 192.168.1.7 80 x.x.x.76 80 extendable

ip nat inside source static tcp 192.168.1.7 443 x.x.x.76 443 extendable

ip route 0.0.0.0 0.0.0.0 x.x.x.73

!

access-list 23 permit 192.168.1.0 0.0.0.255

!

control-plane

!

ate 20000 1000

!

end

Kindly help

modal · ‎10-03-2013

Hi

I'm unable to ping x.x.x.76 form the internet after applying the nat

However, below are my active access lists

Standard IP access list 23

10 permit 192.168.1.0, wildcard bits 0.0.0.255 (138393 matches)

Extended IP access list 102

10 permit tcp any eq smtp any eq smtp

Extended IP access list 123

10 permit tcp any any

Could this hold the clue?

Thanks

pieterh · ‎10-03-2013

I only see " ip nat inside".
This is for inside hosts makin connection to the outsider.

You need the other nat statement for outside access in " ip nat outside...."

Sent from Cisco Technical Support iPad App

Lei Tian · ‎10-04-2013

Hi Mike,

Where does ACL 102 and 123 applied to? I don't see that in your posted config. Do a show ip arp, do you see .76 in your arp table?

HTH,

Lei Tian

modal · ‎10-05-2013

Hi Lei

Both 102 and 123 apply to the outside interface. They were created when mail wasn't being routed, but it later occured to us that the firewall on the mail server was blocking port 25

Below is the irp table

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 - 7cad.74a8.c9c0 ARPA GigabitEthernet0/0

Internet 192.168.1.2 0 0001.0250.b2dc ARPA GigabitEthernet0/0

Internet 192.168.1.3 0 Incomplete ARPA

Internet 192.168.1.5 0 e839.35ee.b844 ARPA GigabitEthernet0/0

Internet 192.168.1.7 - 7cad.74a8.c9c0 ARPA GigabitEthernet0/0

Internet 192.168.1.19 55 1803.73ce.e59d ARPA GigabitEthernet0/0

Internet 192.168.1.20 7 0025.64b0.5f83 ARPA GigabitEthernet0/0

Internet 192.168.1.27 1 00b2.02c9.03af ARPA GigabitEthernet0/0

Internet 192.168.1.31 0 b8ac.6f43.81c6 ARPA GigabitEthernet0/0

Internet 192.168.1.34 0 b8ac.6f1e.4ee9 ARPA GigabitEthernet0/0

Internet 192.168.1.36 218 6067.206c.7694 ARPA GigabitEthernet0/0

Internet 192.168.1.38 217 6067.206c.7694 ARPA GigabitEthernet0/0

Internet 192.168.1.40 8 0021.cccb.962b ARPA GigabitEthernet0/0

Internet 192.168.1.41 59 1c4b.d685.2c44 ARPA GigabitEthernet0/0

Internet 192.168.1.57 50 0021.cccb.9637 ARPA GigabitEthernet0/0

Internet 192.168.1.62 3 0021.cccb.95c5 ARPA GigabitEthernet0/0

Internet 192.168.1.214 0 8c89.a5bc.1fac ARPA GigabitEthernet0/0

Internet x.x.x.73 31 0030.8801.aa7c ARPA GigabitEthernet0/1

Internet x.x.x.74 - 7cad.74a8.c9c1 ARPA GigabitEthernet0/1

Internet x.x.x.76 - 7cad.74a8.c9c1 ARPA GigabitEthernet0/1

Lei Tian · ‎10-05-2013

Hi Mike,

Can you try to remove acl 102 and 123? Can you also make sure provider is advertising your subnet? Try to trace .76 from the internet, see if it can reach the provider router. You can use http://network-tools.com/ for trace.

HTH,

Lei Tian

modal · ‎10-09-2013

I'm back in office now

Removed both ACLs but the trace from the internet is still not working

Lei Tian · ‎10-09-2013

Hi,

Where does the trace stop? Compare to the result for trace to .74, is there any difference?

HTH,

Lei Tian

modal · ‎10-10-2013

Thanks Lei

I managed to identify the problem - bloody ISP spoofed me into thinking .76 was routable over the internet!

I used .74 (its know not recommended though) and natted to port 8080 and its working well.

I must say many thanks to you all, especially you Lei - Good skills man

I have to get my second Public IP up and change the config so it reduces my traffic

Thanks once again

I appreciate

Michael

Lei Tian · ‎10-11-2013

Hi Mike,

You welcome! Glad you found the issue.

HTH,

Lei Tian

nimely5050 · ‎10-01-2013

Do you happen to have any firewall configuration on the router ? The configuration on the router so far looks right.

Another thing is that you should be accessing the server via the public iP from outside, and you might want to make sure you are allowing access to that address and port on your firewall.

Sent from Cisco Technical Support Android App

modal · ‎10-01-2013

Thanks J. Wreh

I currently dont have any firewall rules running

I tried accessing it using the public ip from outside, but it fails

the guy at my ISP say i should deny some IP s access from the access-list (presuming its access-list 23) as its an overkill and is confusing the router

Its got me all confused now

lol

nimely5050 · ‎10-01-2013

I don't think that line is the problem. I have similar config on my 1921, and everything is working. Here's my config:
Ip nat pool xPOOL x.x.x.217 x.x.x.222 netmask 255.255.255.248
Ip nat inside source list INTERNET_ACCESS pool xPOOL overload
Ip nat inside source static tcp 192.168.2.5 80 x.x.x.218 80 extenable
Ip nat inside source static tcp 192.168.2.5 443 x.x.x.218 443 extenable

Ip access-list extended INTERNET_ACCESS
permit ip any any

That access-list does include everything. People do have access to my website from the Internet.

Sent from Cisco Technical Support Android App

nimely5050 · ‎10-01-2013

Hope this link helps you:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

That's Cisco Document ID:13778

Sent from Cisco Technical Support Android App

nimely5050 · ‎10-02-2013

Michael, could issue the following command and load the output here:

Show ip nat translations tcp I sec 192.168.1.7.

Sent from Cisco Technical Support Android App

modal · ‎10-02-2013

UPMB#show ip nat translations | sec 192.168.1.7

--- --- --- 192.168.1.7 x.x.x.76

tcp x.x.x.76:443 192.168.1.7:443 --- ---

tcp x.x.x.74:49523 192.168.1.72:49523 66.196.66.156:80 66.196.66.156:80

tcp x.x.x.74:49608 192.168.1.72:49608 66.196.120.100:80 66.196.120.100:80

tcp x.x.x.74:49676 192.168.1.72:49676 69.171.235.16:443 69.171.235.16:443

tcp x.x.x.74:1069 192.168.1.72:51231 69.171.235.16:443 69.171.235.16:443

tcp x.x.x.74:51334 192.168.1.72:51334 66.196.120.100:80 66.196.120.100:80

tcp x.x.x.74:51618 192.168.1.72:51618 173.252.100.27:443 173.252.100.27:44 3

tcp x.x.x.74:51620 192.168.1.72:51620 2.22.234.8:80 2.22.234.8:80

tcp x.x.x.74:51621 192.168.1.72:51621 2.22.234.8:80 2.22.234.8:80

tcp x.x.x.74:51623 192.168.1.72:51623 66.196.66.156:80 66.196.66.156:80

tcp x.x.x.74:51626 192.168.1.72:51626 217.163.21.40:80 217.163.21.40:80

tcp x.x.x.74:52412 192.168.1.72:52412 173.252.100.27:443 173.252.100.27:44 3