09-03-2019 05:37 PM
Hello all haven't been here for a long time but now need your assistance once again.
My current config is working fine but I need to add a public addressable website which resides on my private lan address.
I found "Configuring Network Address Translation and Static Port Address Translation to Support an Internal Web Server"
but this deals with a static permanent connection.
My setup is slightly unique in I want to achieve exactly that with a DHCP connection through a cable modem using a dialer and I am getting horribly confused as to which interface i should be using.
What_is_my_IP dot com reports my address as 208.156.x.x but the cable modem has a 150.84.101.x address. Both of these are pingable from the public internet. My internal ranges are 192.168.1.0/24 and 192.168.20.0/24 both using 192.168.1.1 as the default router. The webpage is on 192.168.20.191 and my router is an 1841.
My questions;
1. With the command
interface BVI1 ip address 171.68.1.1 255.255.255.240 ip nat outside
Should I use the 150.84.101.x address, FE0/1 or Dialer 0?
2. With the entry
ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable
Again what should I enter as the external address? I know I need to change the internal to .20.191 :)
I'm fairly sure if I can get that information (hopefully) I can get it working.
Plus are there an other entries I need to be aware of which may end up stopping this?
Thank you in advance for your help.
Cheers,
Solved! Go to Solution.
09-19-2019 12:30 AM - edited 09-19-2019 12:31 AM
Hello
@Wingnut2015 wrote:
Thank you for your reply, you may be right about the address. I'm pretty sure it should be just 220.253.2xx.y
The BVI1 is used in the example and that is the only reason it is there. I have included a copy of my running config (hope I have removed all critical bits and DNS server are not the ones I use. Also hope I have pasted it correctly).
he only requirement which has changed is I now have a webpage at 192.168.x.191 on the private LAN which I want to make accessible from the internet.
When i am on an internal computer I can open the page and do what I need but I want to be able to access it when I am not on the private LAN. I.E. on the phone from interstate.
Thanks again for any help
Cheers,
Then you need to setup port forwarding for that webserver.
conf t
no ip access-list extended NAT
ip access-list extended NAT
deny ip host 192.168.1.191
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 172.16.40.0 0.0.0.255 any
ip nat inside source static tcp 192.168.1.191 80 interface dialer 0 80
09-03-2019 11:44 PM
Hello,
typically you would use the IP address of the dialer for any NAT outside translation. That said, what is the BVI for in your configuration ? Also, I am not clear on why you see two different public IP addresses...is your cable modem in bridge mode, and does the 1841 get the public IP address directly ?
09-04-2019 02:05 AM
Thank you for your reply, you may be right about the address. I'm pretty sure it should be just 220.253.2xx.y
The BVI1 is used in the example and that is the only reason it is there. I have included a copy of my running config (hope I have removed all critical bits and DNS server are not the ones I use. Also hope I have pasted it correctly).
#sh run Building configuration... Current configuration : 4852 bytes ! ! Last configuration change at 20:38:40 WST Mon Sep 2 2019 by ross ! NVRAM config last updated at 20:10:41 WST Mon Sep 2 2019 by ross ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! logging message-counter syslog logging buffered 65535 logging console informational enable secret 5 junk enable password pass1 ! no aaa new-model clock timezone WST 8 dot11 syslog ip source-route ! ! ! ! ip cef no ip bootp server ip domain name domain ip host one 192.168.1.x ip host two 192.168.20.x ip name-server 4.4.4.4 ip name-server 4.4.8.8 no ipv6 cef multilink bundle-name authenticated ! vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! crypto pki trustpoint TP-self-signed-483212175 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-483212175 revocation-check none rsakeypair TP-self-signed-483212175 ! ! crypto pki certificate chain TP-self-signed-483212175 certificate self-signed 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 <snip> 00038181 000A3072 3FE07047 E140432A 88D61407 ABC8A443 C115E1D3 407EE805 697D5BE1 AE222A29 78AA666F 228B75B8 8B1EAD70 35B33ECD A5C0FD18 50448628 5149B271 92B4D80D 99EAC02B F9C37E8C E74D5675 C5FAFB2B 4330B446 BB6A8A2E 5F1C28D3 D18FBEB4 9192A8F6 EFC63CE4 7E65A995 5A1E35EB FB75569A 70D0496F AC5F8207 C5 quit ! ! username user privilege 15 secret 5 junk archive log config hidekeys ! ! ! ! ! interface FastEthernet0/0 description WAN_LINK no ip address no ip mroute-cache duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 no cdp enable ! interface FastEthernet0/1 description INSIDE_LAN ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly no ip mroute-cache duplex auto speed auto no cdp enable ! interface FastEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ! interface FastEthernet0/1.40 encapsulation dot1Q 40 ip address 172.16.40.1 255.255.255.0 ! interface Cellular0/0/0 description Dialer connection into IP WAN FNN 61457709828 ip address negotiated ip mtu 1460 encapsulation ppp no ip route-cache cef shutdown dialer in-band dialer string telstra dialer watch-group 1 async mode interactive ppp chap hostname defunct ppp chap password 7 none ! interface Dialer0 description --- Description --- ip address negotiated ip mtu 1460 ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1420 dialer pool 1 dialer-group 1 ppp chap hostname user@address ppp chap password 0 pass2 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 permanent ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip dns server ip nat inside source list 10 interface Dialer0 overload ip nat inside source list NAT interface Dialer0 overload ! ip access-list extended MGMT_IN permit ip 192.168.1.0 0.0.0.255 any permit ip 192.168.20.0 0.0.0.255 any ip access-list extended NAT permit ip 192.168.1.0 0.0.0.255 any permit ip 192.168.20.0 0.0.0.255 any permit ip 172.16.40.0 0.0.0.255 any ! dialer-list 1 protocol ip permit ! ! ! ! control-plane ! ! ! line con 0 login local line aux 0 line 0/0/0 no exec line vty 0 4 access-class 23 in privilege level 15 login local transport input telnet ssh line vty 5 15 access-class 23 in privilege level 15 login local transport input telnet ssh ! scheduler allocate 20000 1000 ntp authenticate ntp access-group peer 31 ntp master 4 ntp update-calendar end
Thanks again for any help
Cheers,
09-04-2019 02:13 AM
Hello,
the crucial question is: Is your 1841 directly connected to the Internet, or is there a cable modem in between ?
09-04-2019 04:09 AM
The 1841 connects to a cable modem which connects to the internet.
Tracert for interest
Tracing route to 4.4.4.4 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.1.1 2 21 ms 8 ms 11 ms lo0.bras2.name.tld.net [150.101.aaa.134] 3 10 ms 10 ms 9 ms ae16.cr1.name2.tld.net [150.101.bbb.178] 4 14 ms 13 ms 11 ms 150.101.ccc.171 5 10 ms 11 ms 11 ms 203.8.aaa.1 6 12 ms 11 ms 12 ms 220.101.aaa.189 7 60 ms 61 ms 75 ms 124.19.aaa.1 8 * ^C
Cheers,
09-04-2019 05:16 AM
Hello,
in your original post you said:
--> My current config is working fine
Does that mean the configuration you posted, with the 1841 behind a cable modem, is working ? And all you need is to add a static NAT translation for port forwarding ?
09-04-2019 04:40 PM
Hhmmm I can see how that could be confusing.
The current config is working for everything except this question. Traffic in and out is fine, browsing etc. is working, all VLAN's are working as expected, etc.
The only requirement which has changed is I now have a webpage at 192.168.x.191 on the private LAN which I want to make accessible from the internet.
When i am on an internal computer I can open the page and do what I need but I want to be able to access it when I am not on the private LAN. I.E. on the phone from interstate.
Hope that clears it up a bit, sorry for the confusion.
09-08-2019 05:18 PM
Bump.
Anyone please?
09-18-2019 08:06 PM
Another bump. :)
Can anyone help?
Cheers,
09-19-2019 12:30 AM - edited 09-19-2019 12:31 AM
Hello
@Wingnut2015 wrote:
Thank you for your reply, you may be right about the address. I'm pretty sure it should be just 220.253.2xx.y
The BVI1 is used in the example and that is the only reason it is there. I have included a copy of my running config (hope I have removed all critical bits and DNS server are not the ones I use. Also hope I have pasted it correctly).
he only requirement which has changed is I now have a webpage at 192.168.x.191 on the private LAN which I want to make accessible from the internet.
When i am on an internal computer I can open the page and do what I need but I want to be able to access it when I am not on the private LAN. I.E. on the phone from interstate.
Thanks again for any help
Cheers,
Then you need to setup port forwarding for that webserver.
conf t
no ip access-list extended NAT
ip access-list extended NAT
deny ip host 192.168.1.191
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 172.16.40.0 0.0.0.255 any
ip nat inside source static tcp 192.168.1.191 80 interface dialer 0 80
09-22-2019 05:13 AM
Thank you Paul but I couldn't get that to work. :(
I'm sure I 'm just not doing something right as lots of people hosts lots of websites but I just can't get it to work.
I don't know what other information I can give to try and get it working so do you have any questions which I might not know I need to ask?
Again, thank you
Cheers,
11-16-2019 09:07 PM
I finally got it working and thought I would post on here in case anyone else runs into the same issue.
As it turns out my ISP blocks port 80 outbound so no matter what I did it was not going to work. The line I entered became
ip nat inside source static tcp 192.168.1.191 80 interface dialer 0 3451
and that made it burst into life.
Thank you to everyone for the assistance, I will mark the reply from Paul Driver as the solution.
Cheers,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide