cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
760
Views
0
Helpful
2
Replies

SR520-FE-K9 initial setup blocks HTTP

ssjindy12345
Level 1
Level 1

OK, I'm no expert at this.  I used to run a PIX firewall years ago and never had any trouble with NAT.

I have a fresh SR520 that I only did two things to it using CCA 3.2(1):

1.  Assign the address of FA4 to be 1.23.456.90 with a mask of 255.255.255.252

2. Declared a static nat of 1.23.456.90 port 80 to 192.168.75.12 port 80

I connected laptops to two ports:

1. FA0 (DHCP assigned laptop the address 192.168.75.12)

2. FA4 with the address on the laptop set to 1.23.456.90 and mask of 255.255.255.252

This is an exercise to simulate a cable internet configuration I will install the SR520 into.

I can ping and point my browser to 1.23.456.89 and access the web server running there on port 80 via the inside laptop

I CANNOT point my browser to 1.23.456.90 from the outside laptop and make a connection. 

Attached is the running configuration.

Can someone explain what I am doing wrong with NAT?  (I believe the problem lies therein as I did even try telling CCA to delete the firewall and I still could not connect to the inside web server).

I have a network monitor (Wireshark) on the inside and see nothing coming across.  I THINK I see successful NAT translations in the NAT logging (also in the attachment).

thanks for any and all insight!

2 Replies 2

ssjindy12345
Level 1
Level 1

BTW, the real IP address is obscured as you can probably tell, but the last octet is real:  .90 is my assigned IP and my next hop to their router is .89

I continue to experiment both with and without using the Configuration Assistant.  CCA seems to not like the firewall as defined by the SR520 in its default configuration.

Is it valid to connect laptops with the appropriate IP addresses to act as my ISP on the FastEthernet4 interface and one of the 4 VLAN75 switchports? 

My assumption is that CCA was designed for me, the person with basic conceptual knowledge of what I need, and CCA is going to figure out all the details so they work correctly.

I let CCA erase the default firewall configuration and substitute its own.  I defined the external IP address and left the inside as DHCP.  Then I defined a NAT for HTTP.

What I found was I could ping and HTTP outbound to the 'ISP' laptop but absolutely nothing goes the other way. 

Is there an example floating around out there to guide me with an actual working configuration?  I am fairly exasperated with the seemingly straightforward and simple CCA interface that only has a small number of variables to define the NAT arrangement I need, and yet it refuses to work.

I did turn on debug security-firewall detail and would see it declaring 'PASS' on my outside-to-inside HTTP requests but they simply go nowhere.  Why is that?  Shouldn't I expect CCA to have made configuration changes to allow access to the inside 'natted' web server on port 80?  The web server is indeed running and working and on port 80 -- just a standard vanilla apache 2.2 webserver setup. 

The webserver laptop is windows 7 and I have the Windows Firewall with Advanced Security turned off so I know THAT's not interfering.

      

Oh, and the SR520-FE-K9 IOS version is 12.4(20)T6

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: