Solved: Port forwarding for the Web server for outside Internet (not working , help!!!!!!)

said.ritel · ‎01-25-2015

Hello

I am trying to learn something new here. We have web server inside our organization its IP address is 172.16.0.35. We want outside Internet users to access web server, How is it possible? Please have a look at the running configuration. Web server is working inside the organization but not at outside. Our Static Public IP is 197.255.232.15 it is assigned to Inetrface Gigabit ATM0.1 and ISP default GW is 197.255.232.1. Let me know whats next? How do I make web server inside the organization available for outside Internet users. Thank you.

Building configuration.
Current configuration : 1983 bytes
!
! Last configuration change at 17:57:15 UTC Sat Jan 24 2015
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router_test
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
!
!
ip dhcp excluded-address 172.16.0.34
!
ip dhcp pool test
network 172.16.0.32 255.255.255.224
dns-server 197.255.224.18 197.255.224.66
default-router 172.16.0.34
lease 9
!
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FGL1818236L
!
!
controller VDSL 0
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description ATM Routed Bridge Encapsulation (RBE) Internet
ip address 197.255.232.15 255.255.248.0
ip access-group netin in
ip access-group netout out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
atm route-bridged ip
bridge-group 1
bridge-group 1 spanning-disabled
pvc 0/35
encapsulation aal5snap
protocol ip inarp
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description Lan
ip address 172.16.0.34 255.255.255.224
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1454
!
interface Dialer1
no ip address
!
ip default-gateway 197.255.232.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list natlist interface ATM0.1 overload
ip nat inside source static tcp 172.16.0.35 443 197.255.232.15 443 extendable
ip route 0.0.0.0 0.0.0.0 ATM0.1 197.255.232.1
!
ip access-list extended natlist
permit ip 172.16.0.32 0.0.0.31 any
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input all
!
!
end

http://pastie.org/9858814

Karsten Iwen · ‎01-25-2015

On your public interface you have ACLs "natin" and "natout". What is in these ACLs? They should allow the needed web-traffic.

View solution in original post

Karsten Iwen · ‎01-25-2015

On your public interface you have ACLs "natin" and "natout". What is in these ACLs? They should allow the needed web-traffic.

Karsten Iwen · ‎01-25-2015

When your connection is working in general, the next step is to configure the firewall-feature in IOS for extra security:

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_cbac_fw/configuration/15-mt/sec-data-cbac-fw-15-mt-book/config-cbac-fw.html

said.ritel · ‎01-28-2015

Hi Karsten Iwen

I deleted ( ip access-group netin in and ip access-group netout out) but it still does not work

my config :

Building configuration...

Current configuration : 2267 bytes
!
! Last configuration change at 15:43:06 UTC Wed Jan 28 2015
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
!
!
!
!
!
ip dhcp excluded-address 172.16.0.34
!
ip dhcp pool my
network 172.16.0.32 255.255.255.224
dns-server 197.255.224.18 197.255.224.66
default-router 172.16.0.34
lease 9
!
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FGL1818236L
!
!

!
!
!
!
!
controller VDSL 0
!

!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description ATM Routed Bridge Encapsulation (RBE) Internet
ip address 197.255.232.15 255.255.248.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly in
atm route-bridged ip
pvc 0/35
encapsulation aal5snap
no protocol ip inarp
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description
ip address 172.16.0.34 255.255.255.224
ip nat inside
no ip virtual-reassembly in
ip tcp adjust-mss 1414
!
interface Dialer1
no ip address
!
ip default-gateway 197.255.232.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list natlist interface ATM0.1 overload
ip nat inside source static tcp 172.16.0.35 443 197.255.232.15 443 extendable
ip route 0.0.0.0 0.0.0.0 ATM0.1 197.255.232.1
!
ip access-list extended natlist
permit ip 172.16.0.32 0.0.0.31 any
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4

!
!
end

Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 197.255.232.15:5183 172.16.0.33:5183 212.95.74.5:80 212.95.74.5:80
tcp 197.255.232.15:5196 172.16.0.33:5196 212.95.74.5:80 212.95.74.5:80
tcp 197.255.232.15:5602 172.16.0.33:5602 174.129.246.27:80 174.129.246.27:80
tcp 197.255.232.15:5785 172.16.0.33:5785 31.13.93.3:443 31.13.93.3:443
tcp 197.255.232.15:443 172.16.0.35:443 --- ---