01-15-2010 01:57 PM - edited 03-06-2019 09:19 AM
Hello,
I have setup a webpage written in IIS. The webpage allows contractors outside our corporate Network to login and fill in forms that i can process. I have a Cisco router sitting on the edge of our network. I want to secure this Cisco 1800 router so that it can only be used for accessing this particular web server page and nothing else. I want the Cisco router to be able to go out onto the internet - unrestricted. But from the outside world in - it can only hit this web server.
I have tried to setup the NAT on the router. I can successfully go out to the internet but cant hit the webpage coming back in. I have setup an Access List but it is obviously not quite right. Could anyone take a look at the config and see it they spot anything obvious. Any advice is welcome.
I now have an A record configured to point mywebsite to xx.xxx.xxx.x which is my dialer0 address for the wireless cisco router in my office. The website has an internal address of 192.168.2.100
The pc i have the website running on is cabled into the wireless router on fast ethernet 0/2 I want to be able to hit this website mywebsite from the outside world. So if anyone can take a look at my config and advise what changes i need to make to be able to hit the site it would be appreciated.
i have attached the config of the cisco wireless router.
thanks
Kevin
Solved! Go to Solution.
01-15-2010 03:20 PM
Hi Kevin,
A couple of comments.
You have the no ip classless command present in your configuration. While this command is inactive because you are running CEF, this command would activate the classful routing which is an old and nowadays unsuitable method of performing routing table lookup. Without going into too much details, you certainly do not want that. Change the command to the ip classless in your global configuration mode.
Next, you seem to be running the HTTP server on your router. In order to remove the ambiguosity whether the incoming TCP connection to the IP address x.x.x.x:80 is destined for your router or for the internal IP address 192.168.2.100, I suggest deactivating it using the no ip http server and no ip http secure-server in your global configuration. Note that after deactivating the HTTP server, you will no longer be able to configure the router using the SDM until you reactivate the HTTP server again.
You may want to temporarily remove the OUTSIDE-IN and OUTSIDE-OUT ACLs from your Dialer0 interface and try accessing the internal web just to be sure that they are not the cause of the problem. There does not seem to be any problem with these ACLs, though, so I doubt removing them will help but let's leave no stone unturned.
The NAT configuration appears to be OK to me. Is it possible that it is your ISP who actually filters out the web traffic coming onto the IP address x.x.x.x from the outside? I would not be surprised if the ISP actually dropped all TCP SYN packets destined for customers. You may want to talk to him and make sure that he is not filter any traffic going towards you.
Best regards,
Peter
01-16-2010 03:48 AM
Hi Kevin,
For hardening for cisco devices check out the belwo link recommendation from cisco for hardening of devices.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
and as you said you are not able to hit the web page can u do simple test from internet just telnet on port 80 of the public ip IIS server.Is it working or not .
If not then ACL needs to be checked for sucessful port communication on port 80.
HTH
Regards
Ganesh.H
01-19-2010 09:53 AM
Kevin,
This does not make any sense to me. Assuming that the address x.x.x.x in your configuration is not from the 192.168.2.0/24 network, I do not see any reason why your NAT table should contain the entries you have posted earlier.
Can you please run the command clear ip nat translation * followed immediately by the show ip nat translation command, capture the entire output and posting it here? Please note that the clear command will cause intermittent connection failures for internal workstations that have some opened sessions with the outside world.
Also can you post the exact version of the device and IOS you are running? The show version would be fine.
Sorry for pulling more and more information from you but so far the configuration appears OK to me.
Best regards,
Peter
01-20-2010 01:33 PM
Kevin,
When I clicked on the hyperlink www.captrax2.niwater.com in my browser, it displayed a page saying "Under construction" and the webserver serving this page is MS IIS. If that is your internal webserver then I just connected to it succesfully. Perhaps there are some issues with connecting to the public IP address of your webserver from within your internal network. In your network, if you want to access the webserver you need to use the internal IP address 192.168.2.100. Accessing the public IP address will not work in your case - the public IP address is owned by your router and you would be talking to your router instead of your webserver.
Does the server pc that runs the website need to be on a domain because its only a workgroup at the moment.
I don't think so. The webserver should not be bound to the domain in any particular sense (except perhaps for authentication purposes). But I have only very little experience with Microsoft server products so this is only my personal opinion. In any case, it seems that I am actually talking to your webserver (check its logs if you find that it has been accessed at around 21:32 GMT on January 20th from 158.193.138.40).
I hope we are getting closer to have this solved once and for good
Best regards,
Peter
01-15-2010 03:20 PM
Hi Kevin,
A couple of comments.
You have the no ip classless command present in your configuration. While this command is inactive because you are running CEF, this command would activate the classful routing which is an old and nowadays unsuitable method of performing routing table lookup. Without going into too much details, you certainly do not want that. Change the command to the ip classless in your global configuration mode.
Next, you seem to be running the HTTP server on your router. In order to remove the ambiguosity whether the incoming TCP connection to the IP address x.x.x.x:80 is destined for your router or for the internal IP address 192.168.2.100, I suggest deactivating it using the no ip http server and no ip http secure-server in your global configuration. Note that after deactivating the HTTP server, you will no longer be able to configure the router using the SDM until you reactivate the HTTP server again.
You may want to temporarily remove the OUTSIDE-IN and OUTSIDE-OUT ACLs from your Dialer0 interface and try accessing the internal web just to be sure that they are not the cause of the problem. There does not seem to be any problem with these ACLs, though, so I doubt removing them will help but let's leave no stone unturned.
The NAT configuration appears to be OK to me. Is it possible that it is your ISP who actually filters out the web traffic coming onto the IP address x.x.x.x from the outside? I would not be surprised if the ISP actually dropped all TCP SYN packets destined for customers. You may want to talk to him and make sure that he is not filter any traffic going towards you.
Best regards,
Peter
01-19-2010 06:09 AM
Peter,
Thanks for the assistance. I did what you recommended but no luck so far. I cant be far away though:
I am getting this when i do a show ip nat translations
tcp x.x.x.x 80.x.x.x:80 217.33.137.49:7639 217.33.137.49:7639
tcp x.x.x.x:80 x.x.x.x:80 217.33.137.49:7640 217.33.137.49:7640
tcp x.x.x.x:80 x.x.x.x:80 217.33.137.49:7644 217.33.137.49:7644
any ideas.
One of my colleagues thinks i dont have the IP nat quite right.
regards
Kevin
01-16-2010 03:48 AM
Hi Kevin,
For hardening for cisco devices check out the belwo link recommendation from cisco for hardening of devices.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
and as you said you are not able to hit the web page can u do simple test from internet just telnet on port 80 of the public ip IIS server.Is it working or not .
If not then ACL needs to be checked for sucessful port communication on port 80.
HTH
Regards
Ganesh.H
01-19-2010 08:02 AM
Hello Kevin,
The show ip nat translation output you have posted here has raised my suspicion: notice that it tells you that neither the source nor the destination addresses in the packets flowing through your router are being translated. The columns inside local and inside global contain the same IP address, and the columns outside local and outside global also contain the same address. According to the configuration you have posted in your original post, that should not take place at all.
Can you download the most recent configuration of your router, remove the sensitive information and post it here again?
One of my colleagues thinks i dont have the IP nat quite right.
I may have overlooked something in your original configuration but I have went over it and so far, I cannot find anything wrong with your NAT configuration. Was your colleague perhaps more specific about what he/she didn't like about it?
Best regards,
Peter
01-19-2010 09:14 AM
Peter,
He thinks this line isnt forwarding the traffic from the outside dialer0 address to the inside 192.168.2.100 (web server address) but he doesnt know how to coorrect it.
ip nat inside source static tcp 192.168.2.100 80 x.x.x.x 80 extendable
any advice is welcome - i know this is not easy.
regards
Kevin
01-19-2010 09:53 AM
Kevin,
This does not make any sense to me. Assuming that the address x.x.x.x in your configuration is not from the 192.168.2.0/24 network, I do not see any reason why your NAT table should contain the entries you have posted earlier.
Can you please run the command clear ip nat translation * followed immediately by the show ip nat translation command, capture the entire output and posting it here? Please note that the clear command will cause intermittent connection failures for internal workstations that have some opened sessions with the outside world.
Also can you post the exact version of the device and IOS you are running? The show version would be fine.
Sorry for pulling more and more information from you but so far the configuration appears OK to me.
Best regards,
Peter
01-20-2010 06:51 AM
Peter
Here is the details you were looking:
rtrWestlDSL01#clear ip nat translation *
rtrWestlDSL01#show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp x.x.x.x:80 x.x.x.x:80 --- ---
udp x.x.x.x:137 192.168.2.31:137 10.218.130.4:137 10.218.130.4:137
udp x.x.x.x:137 192.168.2.31:137 10.224.2.6:137 10.224.2.6:137
tcp x.x.x.x:1195 192.168.2.31:1195 91.121.91.172:8905 91.121.91.172:8905
tcp x.x.x.x:80 192.168.2.100:80 --- ---
tcp x.x.x.x:443 192.168.2.100:443 --- ---
rtrWestlDSL01#sh version
Cisco IOS Software, C180X Software (C180X-BROADBAND-M), Version 12.4(6)T7, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 29-Mar-07 02:43 by khuie
ROM: System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
rtrWestlDSL01 uptime is 6 weeks, 1 hour, 23 minutes
System returned to ROM by power-on
System image file is "flash:c180x-broadband-mz.124-6.T7.bin"
Cisco 1801 (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FCZ112120F4, with hardware revision 0000
9 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
31360K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
regards
Kevin
01-20-2010 09:42 AM
Kevin,
Look at these three entries extracted from your show ip nat tran output:
Pro Inside global Inside local Outside local Outside global
tcp x.x.x.x:80 x.x.x.x:80 --- ---
tcp x.x.x.x:80 192.168.2.100:80 --- ---
tcp x.x.x.x:443 192.168.2.100:443 --- ---
The second and third entry are correct and they correspond to the ip nat inside source static lines in your configuration. However, the first entry - assuming that you have not made any mistake when replacing the real IP addresses with x.x.x.x - is incorrect as there is no corresponding command in your running configuration for such a line to be present in the NAT table, and besides that, it tells your router that there should be basically no translation of the address x.x.x.x at all.
I have noticed that the router is running over 6 weeks and that it runs quite an outdated IOS version. My first suggestion is to try to reload the router (remember to save the configuration beforehand). The second suggestion is to try to upgrade to a newer IOS as this line suggests that there is probably something fishy going inside the IOS version you're using.
Can you afford reloading the router? The connectivity will be broken for some 5 minutes, as these routers boot slowly and the DSL line training takes a minute or so, but I very much recommend trying that.
Best regards,
Peter
01-20-2010 11:33 AM
Peter,
rtrWestlDSL01# sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp xx.xxx.xxx.x:2 192.168.2.39:137 10.218.130.4:137 10.218.130.4:137
udp xx.xxx.xxx.x:1 192.168.2.39:137 10.224.2.6:137 10.224.2.6:137
udp xx.xxx.xxx.x:1236 192.168.2.39:1236 10.224.0.42:161 10.224.0.42:161
udp xx.xxx.xxx.x:2694 192.168.2.39:2694 10.218.130.1:389 10.218.130.1:389
udp xx.xxx.xxx.x:2695 192.168.2.39:2695 10.218.130.1:389 10.218.130.1:389
tcp xx.xxx.xxx.x:2696 192.168.2.39:2696 10.224.2.159:8192 10.224.2.159:8192
tcp xx.xxx.xxx.x:80 192.168.2.100:80 --- ---
udp xx.xxx.xxx.x:137 192.168.2.100:137 10.218.130.4:137 10.218.130.4:137
udp xx.xxx.xxx.x:137 192.168.2.100:137 10.224.2.6:137 10.224.2.6:137
udp xx.xxx.xxx.x:137 192.168.2.100:137 192.168.3.255:137 192.168.3.255:137
tcp xx.xxx.xxx.x:443 192.168.2.100:443 --- ---
udp xx.xxx.xxx.x:64164 192.168.2.100:64164 194.74.65.69:53 194.74.65.69:53
This is my laptop on the wireless connection
192.168.2.39
I have reloaded and uploaded a new config just to make sure everything is ok. I have attached a few screenshots as well.
I can hit the webpage via the Internal IP address 192.168.2.100 but not by dns ie www.captrax2.niwater.com
Does the server pc that runs the website need to be on a domain because its only a workgroup at the moment. I tried joining it to the ip domain name golf-domain but it wouldnt take it.
regards,
Kevin
01-20-2010 01:33 PM
Kevin,
When I clicked on the hyperlink www.captrax2.niwater.com in my browser, it displayed a page saying "Under construction" and the webserver serving this page is MS IIS. If that is your internal webserver then I just connected to it succesfully. Perhaps there are some issues with connecting to the public IP address of your webserver from within your internal network. In your network, if you want to access the webserver you need to use the internal IP address 192.168.2.100. Accessing the public IP address will not work in your case - the public IP address is owned by your router and you would be talking to your router instead of your webserver.
Does the server pc that runs the website need to be on a domain because its only a workgroup at the moment.
I don't think so. The webserver should not be bound to the domain in any particular sense (except perhaps for authentication purposes). But I have only very little experience with Microsoft server products so this is only my personal opinion. In any case, it seems that I am actually talking to your webserver (check its logs if you find that it has been accessed at around 21:32 GMT on January 20th from 158.193.138.40).
I hope we are getting closer to have this solved once and for good
Best regards,
Peter
01-20-2010 02:24 PM
Peter
You have got this spot on. I am very happy to see the IIS server web page displayed as i can see the web page from my home broadband so you are correct in saying that it might have been working with your last few pieces of advice but i didnt realise it because i was just trying to hit the page from a wireless connection in the same LAN. But i can correctly see the webpage from my home broadband. This is the correct webpage - it was only a test one but it is the correct page.
This has been a good learning curve for me but i really do appreciate the help. Thanks for putting in some of your time.
regards,
Kevin
01-20-2010 03:37 PM
Kevin,
It has been a pleasure to assist you. I believe, though, that the reload was still necessary - that one NAT translation entry was lurking inside the NAT table and possibly wreaking havoc with the translations. At your convenience, consider upgrading your IOS if possible. Your router seems to have 128MB RAM and 32MB FLASH. The latest IOS that still fits within these limits is the c180x-broadband-mz.124-22.T4.bin.
Once again, I am very glad that you got it working.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide