Solved: Re:Static Nat - access local web server via internet - Page 3

modal · ‎09-29-2013

Hi,

I'm trying to enable acces of my local web server over the internet

I can access the server locally via the ip address (http://192.168.1.7) on port 80

I have created an A record and pointed it to the public IP address x.x.x.76, which is within a block with my main public ip for internet x.x.x.74

However, when i try to access the web server over the internet, i fail

I have attached my router config

Using 4396 out of 262136 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname test

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no logging console

!

no aaa new-model

!

ip cef

!

ip dhcp pool TEST

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 4.2.2.2

!

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

multilink bundle-name authenticated

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

ip address x.x.x.74 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248

ip nat inside source list 23 pool TEST overload

ip nat inside source static tcp 192.168.1.3 25 x.x.x.74 25 extendable

ip nat inside source static tcp 192.168.1.3 110 x.x.x.74 110 extendable

ip nat inside source static tcp 192.168.1.3 443 x.x.x.74 443 extendable

ip nat inside source static tcp 192.168.1.7 80 x.x.x.76 80 extendable

ip nat inside source static tcp 192.168.1.7 443 x.x.x.76 443 extendable

ip route 0.0.0.0 0.0.0.0 x.x.x.73

!

access-list 23 permit 192.168.1.0 0.0.0.255

!

control-plane

!

ate 20000 1000

!

end

Kindly help

nimely5050 · ‎10-02-2013

From what I see, there appears to be a problem that is not NAT related. It seems to be the fact that access is not being allowed to that server via port 80. There's no hit count for that port.

Sent from Cisco Technical Support Android App

nimely5050 · ‎10-02-2013

Here is a suggestion in troubleshooting this:

1. create an acl that matches the server's IP - access-list 1 permit 192.168.1.7

2. Check the cpu utilization on your router and see if its not high(that is relative to your baseline and environment)- show processes cpu sorted | exc 0.00%

3.If it's not high, configure logg at the buffer and console: logging console 6

logging buffered 7. this will limit debugging of traffic to just the server's traffic

4. issue the following command- debug ip nat 1.

5. try accessing the server from outside on port 80/ or just www....while you monitor the router.

6. The output should indicate if traffic for port 80 is being natted

by issuing the following command: show logging

WARNING: debug uses a lot of cpu , which can cause a router to crash if it's alrready high in utilization. You could do it when there's not that much load on the router, perhaps after hour.

nimely5050 · ‎10-03-2013

Michael, that pool is for your dynamic nat, and does not have anything to do with the static nat for your server. Just make sure that whatever public ip you are using for your server is actually within the range of your public ips.
You need to take into consideration your network and broadcast from that range.

Sent from Cisco Technical Support Android App

nimely5050 · ‎10-03-2013

There's ip nat outside, else the dynamic nat wouldn't be working.

Sent from Cisco Technical Support Android App

pieterh · ‎10-03-2013

Hello there

I'm not talking bout the "ip nat ouside" applied to the interface.

what I mean is

ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248

ip nat inside source list 23 pool TEST overload

is not enough.

those lines are for when an inside host tries to setup a session to the outside!

when the session (Xlate) has started, the oudside can reply on this session.

but it cannot INITIATE a session to the inside

you need something like

ip nat pool Net171 171.68.16.10 171.68.16.254 netmask 255.255.255.0

ip nat outside source list 1 pool Net171 add-route

look at this document

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

nimely5050 · ‎10-03-2013

Mike,

Are you sure what you have here is the complete config of your router? If so, is it behind another device?

Sent from Cisco Technical Support Android App

nimely5050 · ‎10-04-2013

That command is used when you want to translate the outside address for connection coming in. In this case, that is not required because we want to translate the ip address of the internal web server because the ip address of the server is not globally routable. We don't want to translate the addresses of those connecting to the server. Here's the recommended setup from Cisco:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

What is needed is to allow outside hosts to access that public ip of the server from outside on ports 80 & 443. If you can't ping that ip from outside, then my thought Is there could be some filtering going on.

Sent from Cisco Technical Support Android App

pieterh · ‎10-04-2013

Hmmm.. J.Wreh,

I think you are right and I was not.

but then this ouput may point to the fault

Oct 2, 2013 7:45 AM (in response to J. Wreh Doepoh)

UPMB#show ip nat translations | sec 192.168.1.7

--- --- --- 192.168.1.7 x.x.x.76

when you look at the header of the output

"Pro Inside global Inside local Outside local Outside global"

the translation should show on the inside-side?