09-29-2013 07:14 AM - edited 03-04-2019 09:10 PM
Hi,
I'm trying to enable acces of my local web server over the internet
I can access the server locally via the ip address (http://192.168.1.7) on port 80
I have created an A record and pointed it to the public IP address x.x.x.76, which is within a block with my main public ip for internet x.x.x.74
However, when i try to access the web server over the internet, i fail
I have attached my router config
Using 4396 out of 262136 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
!
no aaa new-model
!
ip cef
!
!
!
!
ip dhcp pool TEST
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 4.2.2.2
!
!
!
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
multilink bundle-name authenticated
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address x.x.x.74 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248
ip nat inside source list 23 pool TEST overload
ip nat inside source static tcp 192.168.1.3 25 x.x.x.74 25 extendable
ip nat inside source static tcp 192.168.1.3 110 x.x.x.74 110 extendable
ip nat inside source static tcp 192.168.1.3 443 x.x.x.74 443 extendable
ip nat inside source static tcp 192.168.1.7 80 x.x.x.76 80 extendable
ip nat inside source static tcp 192.168.1.7 443 x.x.x.76 443 extendable
ip route 0.0.0.0 0.0.0.0 x.x.x.73
!
access-list 23 permit 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
ate 20000 1000
!
end
Kindly help
Solved! Go to Solution.
10-03-2013 09:50 AM
Hi
I'm unable to ping x.x.x.76 form the internet after applying the nat
However, below are my active access lists
Standard IP access list 23
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (138393 matches)
Extended IP access list 102
10 permit tcp any eq smtp any eq smtp
Extended IP access list 123
10 permit tcp any any
Could this hold the clue?
Thanks
10-03-2013 12:00 PM
I only see " ip nat inside".
This is for inside hosts makin connection to the outsider.
You need the other nat statement for outside access in " ip nat outside...."
Sent from Cisco Technical Support iPad App
10-04-2013 04:03 AM
Hi Mike,
Where does ACL 102 and 123 applied to? I don't see that in your posted config. Do a show ip arp, do you see .76 in your arp table?
HTH,
Lei Tian
10-05-2013 03:31 AM
Hi Lei
Both 102 and 123 apply to the outside interface. They were created when mail wasn't being routed, but it later occured to us that the firewall on the mail server was blocking port 25
Below is the irp table
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.1 - 7cad.74a8.c9c0 ARPA GigabitEthernet0/0
Internet 192.168.1.2 0 0001.0250.b2dc ARPA GigabitEthernet0/0
Internet 192.168.1.3 0 Incomplete ARPA
Internet 192.168.1.5 0 e839.35ee.b844 ARPA GigabitEthernet0/0
Internet 192.168.1.7 - 7cad.74a8.c9c0 ARPA GigabitEthernet0/0
Internet 192.168.1.19 55 1803.73ce.e59d ARPA GigabitEthernet0/0
Internet 192.168.1.20 7 0025.64b0.5f83 ARPA GigabitEthernet0/0
Internet 192.168.1.27 1 00b2.02c9.03af ARPA GigabitEthernet0/0
Internet 192.168.1.31 0 b8ac.6f43.81c6 ARPA GigabitEthernet0/0
Internet 192.168.1.34 0 b8ac.6f1e.4ee9 ARPA GigabitEthernet0/0
Internet 192.168.1.36 218 6067.206c.7694 ARPA GigabitEthernet0/0
Internet 192.168.1.38 217 6067.206c.7694 ARPA GigabitEthernet0/0
Internet 192.168.1.40 8 0021.cccb.962b ARPA GigabitEthernet0/0
Internet 192.168.1.41 59 1c4b.d685.2c44 ARPA GigabitEthernet0/0
Internet 192.168.1.57 50 0021.cccb.9637 ARPA GigabitEthernet0/0
Internet 192.168.1.62 3 0021.cccb.95c5 ARPA GigabitEthernet0/0
Internet 192.168.1.214 0 8c89.a5bc.1fac ARPA GigabitEthernet0/0
Internet x.x.x.73 31 0030.8801.aa7c ARPA GigabitEthernet0/1
Internet x.x.x.74 - 7cad.74a8.c9c1 ARPA GigabitEthernet0/1
Internet x.x.x.76 - 7cad.74a8.c9c1 ARPA GigabitEthernet0/1
10-05-2013 04:48 AM
Hi Mike,
Can you try to remove acl 102 and 123? Can you also make sure provider is advertising your subnet? Try to trace .76 from the internet, see if it can reach the provider router. You can use http://network-tools.com/ for trace.
HTH,
Lei Tian
10-09-2013 12:27 AM
I'm back in office now
Removed both ACLs but the trace from the internet is still not working
10-09-2013 08:30 PM
Hi,
Where does the trace stop? Compare to the result for trace to .74, is there any difference?
HTH,
Lei Tian
10-10-2013 09:59 PM
Thanks Lei
I managed to identify the problem - bloody ISP spoofed me into thinking .76 was routable over the internet!
I used .74 (its know not recommended though) and natted to port 8080 and its working well.
I must say many thanks to you all, especially you Lei - Good skills man
I have to get my second Public IP up and change the config so it reduces my traffic
Thanks once again
I appreciate
Michael
10-11-2013 06:06 AM
Hi Mike,
You welcome! Glad you found the issue.
HTH,
Lei Tian
10-01-2013 12:01 PM
Do you happen to have any firewall configuration on the router ? The configuration on the router so far looks right.
Another thing is that you should be accessing the server via the public iP from outside, and you might want to make sure you are allowing access to that address and port on your firewall.
Sent from Cisco Technical Support Android App
10-01-2013 12:16 PM
Thanks J. Wreh
I currently dont have any firewall rules running
I tried accessing it using the public ip from outside, but it fails
the guy at my ISP say i should deny some IP s access from the access-list (presuming its access-list 23) as its an overkill and is confusing the router
Its got me all confused now
lol
10-01-2013 12:28 PM
I don't think that line is the problem. I have similar config on my 1921, and everything is working. Here's my config:
Ip nat pool xPOOL x.x.x.217 x.x.x.222 netmask 255.255.255.248
Ip nat inside source list INTERNET_ACCESS pool xPOOL overload
Ip nat inside source static tcp 192.168.2.5 80 x.x.x.218 80 extenable
Ip nat inside source static tcp 192.168.2.5 443 x.x.x.218 443 extenable
Ip access-list extended INTERNET_ACCESS
permit ip any any
That access-list does include everything. People do have access to my website from the Internet.
Sent from Cisco Technical Support Android App
10-01-2013 12:45 PM
Hope this link helps you:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
That's Cisco Document ID:13778
Sent from Cisco Technical Support Android App
10-02-2013 05:28 AM
Michael, could issue the following command and load the output here:
Show ip nat translations tcp I sec 192.168.1.7.
Sent from Cisco Technical Support Android App
10-02-2013 06:45 AM
UPMB#show ip nat translations | sec 192.168.1.7
--- --- --- 192.168.1.7 x.x.x.76
tcp x.x.x.76:443 192.168.1.7:443 --- ---
tcp x.x.x.74:49523 192.168.1.72:49523 66.196.66.156:80 66.196.66.156:80
tcp x.x.x.74:49608 192.168.1.72:49608 66.196.120.100:80 66.196.120.100:80
tcp x.x.x.74:49676 192.168.1.72:49676 69.171.235.16:443 69.171.235.16:443
tcp x.x.x.74:1069 192.168.1.72:51231 69.171.235.16:443 69.171.235.16:443
tcp x.x.x.74:51334 192.168.1.72:51334 66.196.120.100:80 66.196.120.100:80
tcp x.x.x.74:51618 192.168.1.72:51618 173.252.100.27:443 173.252.100.27:44 3
tcp x.x.x.74:51620 192.168.1.72:51620 2.22.234.8:80 2.22.234.8:80
tcp x.x.x.74:51621 192.168.1.72:51621 2.22.234.8:80 2.22.234.8:80
tcp x.x.x.74:51623 192.168.1.72:51623 66.196.66.156:80 66.196.66.156:80
tcp x.x.x.74:51626 192.168.1.72:51626 217.163.21.40:80 217.163.21.40:80
tcp x.x.x.74:52412 192.168.1.72:52412 173.252.100.27:443 173.252.100.27:44 3
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide