09-29-2013 07:14 AM - edited 03-04-2019 09:10 PM
Hi,
I'm trying to enable acces of my local web server over the internet
I can access the server locally via the ip address (http://192.168.1.7) on port 80
I have created an A record and pointed it to the public IP address x.x.x.76, which is within a block with my main public ip for internet x.x.x.74
However, when i try to access the web server over the internet, i fail
I have attached my router config
Using 4396 out of 262136 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
!
no aaa new-model
!
ip cef
!
!
!
!
ip dhcp pool TEST
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 4.2.2.2
!
!
!
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
multilink bundle-name authenticated
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address x.x.x.74 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248
ip nat inside source list 23 pool TEST overload
ip nat inside source static tcp 192.168.1.3 25 x.x.x.74 25 extendable
ip nat inside source static tcp 192.168.1.3 110 x.x.x.74 110 extendable
ip nat inside source static tcp 192.168.1.3 443 x.x.x.74 443 extendable
ip nat inside source static tcp 192.168.1.7 80 x.x.x.76 80 extendable
ip nat inside source static tcp 192.168.1.7 443 x.x.x.76 443 extendable
ip route 0.0.0.0 0.0.0.0 x.x.x.73
!
access-list 23 permit 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
ate 20000 1000
!
end
Kindly help
Solved! Go to Solution.
10-01-2013 02:40 PM
I've labbed it up and I can't get it to fail with your config. Can you post "sh ip nat translat"?
HTH,
John
*** Please rate all useful posts ***
09-29-2013 07:05 PM
Hi
Remove the server IP from dynamic nat access list, and try.
HTH,
Lei Tian
Sent from Cisco Technical Support Android App
10-01-2013 11:06 AM
Thanks Lei
I'm not really a CISCO guy though
How should i do that?
Mike
10-01-2013 12:05 PM
Michael,
Try removing this line:
ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248
with "no ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248"
HTH,
John
*** Please rate all useful posts ***
10-01-2013 12:12 PM
Thanks John
I'm currently out of town but can acces the router via SSH & telnet
I cannot remove/destroy it as the pool is in use
Michael
10-01-2013 02:40 PM
I've labbed it up and I can't get it to fail with your config. Can you post "sh ip nat translat"?
HTH,
John
*** Please rate all useful posts ***
10-02-2013 02:27 AM
Dear John
sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 192.168.1.7 197.221.128.76
tcp x.x.x.74:1033 192.168.1.2:1033 79.143.167.6:26394 79.143.167.6:26394
tcp x.x.x.74:1043 192.168.1.2:1043 186.38.22.148:6881 186.38.22.148:6881
tcp x.x.x.74:443 192.168.1.7:443 --- ---
Its a much longer list, just picked out a few lines
10-02-2013 03:52 AM
Is there a firewall between your router and this server? Do you have a translation for port 80? I see 443, but not 80. Does 443 work if you try to telnet into the port from the outside? (telnet x.x.x74 443). If the screen clears with a cursor in the upper left, it's open and you're getting to the server.
HTH,
John
*** Please rate all useful posts ***
10-03-2013 03:31 AM
Thanks John
But i'm unable to telnet into it ... connection failed
I'm thinking it could be with .... ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248
i only specified one Public IP (x.x.x.74) ... should i specify the entire Block here like this
ip nat pool TEST x.x.x.74 x.x.x.78 netmask 255.255.255.248?
the Public IP for the web server is x.x.x.76
Just wondering
10-11-2013 06:26 AM
Hi Michal,
Hope you are doing well,
I have one question from your NAT translation table
When you use Static PAT ,you use
"
ip nat inside source static tcp (Inside local IP address= Actual device IP) <Local port on which devices are listening> (Inside global IP address = IP which is reachable on internet) <Global UDP/TCP port = Any Random Port>"
following command.
So in your case your statement would be
ip nat inside source static tcp 192.168.1.7 443 x.x.x.76 443
It mean ur inside local ip is 192.168.1.7 and inside global ip address is x.x.x.76, So when you do sh ip nat translation command it should like this
Pro Inside global Inside local Outside local Outside global
tcp x.x.x:76 192.168.1.7:443 --- ---
so first entry will be static entry and then ur dynamic session but your output is showing different 192.168.1.7 address is showing in outside local
I have creted one blog static Pat if want you can go through it.last month i deploy static PAT setup for one customer so it did work fine for them.
One more suggestion if you are using interface to PAT your inside IP address you can direclty Nat on it,you dont need seperate pool for it.Pool is required when you want to do dynamic PAT with multiple IP address
you can use following command:
ip nat inside source list 10 interface gig0/1 overload
Regards,
Ashish
10-11-2013 07:43 AM
Dear Ashish
Thanks for the feedback. However, this issue has been sorted out and my routing configuration was fine
All i had to do was to change port number to 8080 and switch to my main IP as the .76 i got was not routable on the internet
Thanks
10-10-2013 10:01 PM
John
The config was correct as you mentioned - ISP let me down with a non routable public IP
Thanks
10-02-2013 04:06 AM
Hi Mike,
Just change your acl 23 to
access-list 23 deny host 192.168.1.7
access-list 23 permit 192.168.1.0 0.0.0.255
HTH,
Lei Tian
10-03-2013 01:52 AM
Thanks Lei
I have done that but no luck
Could the error be from this line . . . .
ip nat pool UPMB x.x.x.74 .x.x.x.74 netmask 255.255.255.248?
i was thinking it should be this instead
ip nat pool UPMB x.x.x.74 .x.x.x.78 netmask 255.255.255.248
My Public IP block is from 74 to 78
thanks
10-03-2013 03:52 AM
Hi Mike,
The 2nd one is correct, but it won't cause the issue that you have. If you change the NAT to
ip nat inside source static tcp 192.168.1.7 x.x.x.76 temporarily, can you ping .76 from internet?
HTH,
Lei Tian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide