04-16-2012 06:53 AM - edited 03-07-2019 06:09 AM
Hi;
Regrets up front for such a basic question but I'm new to the Cisco community. I recently purchased an 861 router andI need to forward inbound HTTP requests from my public IP address to an address (web server) inside. I configured an Fortigate 50B (which the 861 is replacing) by simply creating a route and then adding a firewall policy to allow port forwarding. I've attempted to do the same here without any luck. If you could, please direct me to a this information.
04-20-2012 09:26 AM
If you're natting the traffic, you'll need to do that here as well:
ip nat inside source static
int fa0/0
ip access-group WebTraffic in
ip nat outsi
int fa0/1
ip nat inside
You'll want an acl to block unwanted traffic:
ip access-list ext WebTraffic
permit tcp any host
permit tcp any any established
You could go with zone-based firewall or CBAC for better protection instead of just the ACL.
HTH,
John
Please rate useful posts..
04-20-2012 10:18 AM
Hi John:
First, thank you for your reply. Here is what I got when merging your NAT
commands :
The Cisco IOS returned the following messages when attempting to merge your
changes to the configuration.
% similar static entry (172.20.1.10 -> 24.106.44.210) already exists
int fa0/0
^
% Invalid input detected at '^' marker.
ip access-group WebTraffic in
^
% Invalid input detected at '^' marker.
ip nat outside
% Incomplete command.
int fa0/1
^
% Invalid input detected at '^' marker.
ip nat inside
% Incomplete command.
142 bytes copied in 18.080 secs (8 bytes/sec)
Below is the text from the ACL modification
permit tcp any host eq 80
^
% Invalid input detected at '^' marker.
Here is what Cisco tech support suggested (didn't work):
interface FastEthernet 0
ip address 172.20.1.10 255.255.255.0
ip nat inside
interface serial 0
ip address 24.106.44.210 255.255.255.252
ip nat outside
ip nat inside source static tcp 172.20.1.10 80 172.20.1.103 80
The only connection that was completed has been to the integrated webserver
in the router. I have about 20 hours into this now and I'm of the opinion
that for whatever reason, what I'm trying to do is not possible.
Thanks again:
Scott
04-20-2012 05:01 PM
Please post your complete config and take out the public addresses....it's possible to do what you want.
04-20-2012 05:41 PM
Hi John:
Below is the config.I have to tell you that, honestly, I'm strongly
considering just going back to my Fortinet for this. Port forwarding can be
done reliably in less than 5 minutes.
If you want to have a go at it, I'll do it.
Thanks for your diligence!
S
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco861
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$vwb3$TySirxZ.lm.YbMJNhhMQg1
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3394879082
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3394879082
revocation-check none
rsakeypair TP-self-signed-3394879082
!
!
crypto pki certificate chain TP-self-signed-3394879082
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333934 38373930 3832301E 170D3036 30313032 31323030
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393438
37393038 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F2A0 4D17DD07 6C76F385 E6F456EE 141C0F91 CA7C1175 B176CB8C A273E17D
511530C9 850FBDCC 67670E5F 54E05D4F A33A083E 42E819F8 F7B4FD22 3C2C2219
0EF72883 2F767849 7950307A A74D8CFA D44E2D6B D625D237 0C8C8DAF FE8B331D
50EB2945 0187BDDA A56F05D1 9AB8DB22 05DDC74D 889FC0F5 74F6571B 8F5B1013
AE7B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14C27593 1F059686 3996F59E 93DBC11B 0E845AC9
C8301D06 03551D0E 04160414 C275931F 05968639 96F59E93 DBC11B0E 845AC9C8
300D0609 2A864886 F70D0101 04050003 818100DB 0FACA18D E9309BDD E742EA7A
466B4562 945E8B25 9F5AAA74 2BE96A84 56547501 5D7FD1B6 618BFFCB 81001151
3EFE5F89 0C752ECB 541885CD FCCF81E8 863BA75F 0F950D1A C8B631E9 1C77CA99
7CA4C0B1 673DE637 4A953E58 0D11A85D 9CFC91B2 6DEF2E4E 527F1207 56B98BA6
12E0F3CF 6CACE2C1 6CCCB16A 0CDDF155 E10A4A
quit
no ip source-route
!
!
ip dhcp excluded-address 172.20.1.1 172.20.1.239
!
ip dhcp pool ccp-pool1
import all
network 172.20.1.0 255.255.255.0
dns-server 65.24.0.168 4.2.2.2
default-router 172.20.1.10
!
!
ip cef
no ip bootp server
ip name-server 65.24.0.168
ip name-server 4.2.2.2
!
!
license udi pid CISCO861-K9 sn FTX160784JB
!
!
username admin privilege 15 secret 5 $1$0TUG$bh270ROcyZGOINj0Ixisw/
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination
in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 172.20.1.103
no cdp run
!
control-plane
!
banner exec ^C
% Password expiration warning.
04-20-2012 06:07 PM
John:
I'm seeing that firmware may well be an issue...any thoughts?
Connected by DROID on Verizon Wireless
04-20-2012 07:19 PM
Scott,
The config that you posted still isn't complete. Without that, I don't know what I'm really helping you with. Are you natting from this device? If so, you're missing the nat config above. I can't say it's a firmware issue because I haven't seen a complete config yet to tell you if it's a problem with the config or if it's something else. Maybe it's the way that it was pasted in, and if that's the case it may be better for you to paste it into a text file and then attach the file to the forum.
John
04-20-2012 08:19 PM
John:
This was copied "select all" from the CLI.if it's incomplete as well,
perhaps that's a hint of what's wrong in possibly a defective unit. I did
have problems getting the next hop address to "stick" after configuration:
it was fine until I powered the router down, at which time the address
disappeared. Resetting the unit to default seemed to clear the problem.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide