cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
648
Views
0
Helpful
11
Replies
Highlighted
Beginner

Website on private lan through cable modem

Hello all haven't been here for a long time but now need your assistance once again.

 

My current config is working fine but I need to add a public addressable website which resides on my private lan address.

I found "Configuring Network Address Translation and Static Port Address Translation to Support an Internal Web Server"

https://www.cisco.com/c/en/us/support/docs/long-reach-ethernet-lre-digital-subscriber-line-xdsl/asymmetric-digital-subscriber-line-adsl/12905-827spat.html 

but this deals with a static permanent connection.

 

My setup is slightly unique in I want to achieve exactly that with a DHCP connection through a cable modem using a dialer and I am getting horribly confused as to which interface i should be using.

 

What_is_my_IP dot com reports my address as 208.156.x.x but the cable modem has a 150.84.101.x address. Both of these are pingable from the public internet. My internal ranges are 192.168.1.0/24 and 192.168.20.0/24 both using 192.168.1.1 as the default router. The webpage is on 192.168.20.191 and my router is an 1841.

 

My questions;

1. With the command

interface BVI1
ip address 171.68.1.1 255.255.255.240
ip nat outside

Should I use the 150.84.101.x address, FE0/1 or Dialer 0?

 

2. With the entry

ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable

Again what should I enter as the external address? I know I need to change the internal to .20.191 :)

 

I'm fairly sure if I can get that information (hopefully) I can get it working.

 

Plus are there an other entries I need to be aware of which may end up stopping this?

 

Thank you in advance for your help.

Cheers,

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello


@Wingnut2015 wrote:

Thank you for your reply, you may be right about the address. I'm pretty sure it should be just 220.253.2xx.y

 

The BVI1 is used in the example and that is the only reason it is there. I have included a copy of my running config (hope I have removed all critical bits and DNS server are not the ones I use. Also hope I have pasted it correctly).

 

he only requirement which has changed is I now have a webpage at 192.168.x.191 on the private LAN which I want to make accessible from the internet.

 

When i am on an internal computer I can open the page and do what I need but I want to be able to access it when I am not on the private LAN. I.E. on the phone from interstate.

Thanks again for any help

Cheers,


 

Then you need to setup port forwarding for that webserver.

 

conf t
no ip access-list extended NAT
ip access-list extended NAT
deny ip host 192.168.1.191
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 172.16.40.0 0.0.0.255 any

ip nat inside source static tcp 192.168.1.191 80 interface dialer 0 80



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

11 REPLIES 11
Highlighted
VIP Mentor

Hello,

 

typically you would use the IP address of the dialer for any NAT outside translation. That said, what is the BVI for in your configuration ? Also, I am not clear on why you see two different public IP addresses...is your cable modem in bridge mode, and does the 1841 get the public IP address directly ? 

Highlighted

Thank you for your reply, you may be right about the address. I'm pretty sure it should be just 220.253.2xx.y

 

The BVI1 is used in the example and that is the only reason it is there. I have included a copy of my running config (hope I have removed all critical bits and DNS server are not the ones I use. Also hope I have pasted it correctly).

 

#sh run
Building configuration...

Current configuration : 4852 bytes
!
! Last configuration change at 20:38:40 WST Mon Sep 2 2019 by ross
! NVRAM config last updated at 20:10:41 WST Mon Sep 2 2019 by ross
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65535
logging console informational
enable secret 5 junk
enable password pass1
!
no aaa new-model
clock timezone WST 8
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name domain
ip host one 192.168.1.x
ip host two 192.168.20.x
ip name-server 4.4.4.4
ip name-server 4.4.8.8 
no ipv6 cef
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
crypto pki trustpoint TP-self-signed-483212175
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-483212175
 revocation-check none
 rsakeypair TP-self-signed-483212175
!
!
crypto pki certificate chain TP-self-signed-483212175
 certificate self-signed 01
  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
<snip>
  00038181 000A3072 3FE07047 E140432A 88D61407 ABC8A443 C115E1D3 407EE805
  697D5BE1 AE222A29 78AA666F 228B75B8 8B1EAD70 35B33ECD A5C0FD18 50448628
  5149B271 92B4D80D 99EAC02B F9C37E8C E74D5675 C5FAFB2B 4330B446 BB6A8A2E
  5F1C28D3 D18FBEB4 9192A8F6 EFC63CE4 7E65A995 5A1E35EB FB75569A 70D0496F
  AC5F8207 C5
        quit
!
!
username user privilege 15 secret 5 junk
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0/0
 description WAN_LINK
 no ip address
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface FastEthernet0/1
 description INSIDE_LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
!
interface FastEthernet0/1.40
 encapsulation dot1Q 40
 ip address 172.16.40.1 255.255.255.0
!
interface Cellular0/0/0
 description Dialer connection into IP WAN FNN 61457709828
 ip address negotiated
 ip mtu 1460
 encapsulation ppp
 no ip route-cache cef
 shutdown
 dialer in-band
 dialer string telstra
 dialer watch-group 1
 async mode interactive
 ppp chap hostname defunct
 ppp chap password 7 none
!
interface Dialer0
 description --- Description ---
 ip address negotiated
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1420
 dialer pool 1
 dialer-group 1
 ppp chap hostname user@address
 ppp chap password 0 pass2
 ppp ipcp dns request
 ppp ipcp route default
 ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 10 interface Dialer0 overload
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list extended MGMT_IN
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended NAT
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
 permit ip 172.16.40.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 0/0/0
 no exec
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp authenticate
ntp access-group peer 31
ntp master 4
ntp update-calendar
end

Thanks again for any help

Cheers,

Highlighted

Hello,

 

the crucial question is: Is your 1841 directly connected to the Internet, or is there a cable modem in between ?

Highlighted

The 1841 connects to a cable modem which connects to the internet.

Tracert for interest

Tracing route to 4.4.4.4 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2    21 ms     8 ms    11 ms  lo0.bras2.name.tld.net [150.101.aaa.134]
  3    10 ms    10 ms     9 ms  ae16.cr1.name2.tld.net [150.101.bbb.178]
  4    14 ms    13 ms    11 ms  150.101.ccc.171
  5    10 ms    11 ms    11 ms  203.8.aaa.1
  6    12 ms    11 ms    12 ms  220.101.aaa.189
  7    60 ms    61 ms    75 ms  124.19.aaa.1
  8     *     ^C

Cheers,

Highlighted

Hello,

 

in your original post you said:

 

--> My current config is working fine

 

Does that mean the configuration you posted, with the 1841 behind a cable modem, is working ? And all you need is to add a static NAT translation for port forwarding ?

Highlighted

Hhmmm I can see how that could be confusing.

 

The current config is working for everything except this question. Traffic in and out is fine, browsing etc. is working, all VLAN's are working as expected, etc.

 

The only requirement which has changed is I now have a webpage at 192.168.x.191 on the private LAN which I want to make accessible from the internet.

 

When i am on an internal computer I can open the page and do what I need but I want to be able to access it when I am not on the private LAN. I.E. on the phone from interstate.

 

Hope that clears it up a bit, sorry for the confusion.

Highlighted

Bump.

 

Anyone please?

Highlighted

Another bump. :)

 

Can anyone help?

 

Cheers,

Highlighted

Hello


@Wingnut2015 wrote:

Thank you for your reply, you may be right about the address. I'm pretty sure it should be just 220.253.2xx.y

 

The BVI1 is used in the example and that is the only reason it is there. I have included a copy of my running config (hope I have removed all critical bits and DNS server are not the ones I use. Also hope I have pasted it correctly).

 

he only requirement which has changed is I now have a webpage at 192.168.x.191 on the private LAN which I want to make accessible from the internet.

 

When i am on an internal computer I can open the page and do what I need but I want to be able to access it when I am not on the private LAN. I.E. on the phone from interstate.

Thanks again for any help

Cheers,


 

Then you need to setup port forwarding for that webserver.

 

conf t
no ip access-list extended NAT
ip access-list extended NAT
deny ip host 192.168.1.191
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 172.16.40.0 0.0.0.255 any

ip nat inside source static tcp 192.168.1.191 80 interface dialer 0 80



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Highlighted

Thank you Paul but I couldn't get that to work. :(

 

I'm sure I 'm just not doing something right as lots of people hosts lots of websites but I just can't get it to work.

 

I don't know what other information I can give to try and get it working so do you have any questions which I might not know I need to ask?

 

Again, thank you

Cheers,

Highlighted

I finally got it working and thought I would post on here in case anyone else runs into the same issue.

 

As it turns out my ISP blocks port 80 outbound so no matter what I did it was not going to work. The line I entered became

ip nat inside source static tcp 192.168.1.191 80 interface dialer 0 3451

and that made it burst into life.

 

Thank you to everyone for the assistance, I will mark the reply from Paul Driver as the solution.

 

Cheers,