I wet back to domainless NAT again to see if it would work with the extendable added and still no luck.
no ip nat inside/outside
ip nat enable on all
ip nat source list 1 interface GigabitEthernet0/1 overload
no ip nat insidce source list 1 GigabitEthernet0/1 overload
ip nat source static tcp 192.168.10.5 80 hidden 80 extendable
no ip nat inside source static tcp 192.168.10.5 80 hidden 80 extendable
So on and so on....
... View more
I tried that and still no luck. I read somewhere that this isn't possible on my router but I do not know how accurate that is. I have a Cisco 1921 IOS router. It is still asking to login to the router through http when I try accesing the webpage using the public IP address.
... View more
Right now in the local DNS (Windows server) I have an A record of www.ourdomain.com pointing to 192.168.10.5 and it works, but if I change that record to our public IP or just try to type the public IP into the address bar it will not load the website from the inside. When I type the public IP it asks me to log into the router through http. Everything loads with the website out of the building. Thanks for your assitance.
... View more
I was hoping for some guidance from someone who can offer any. I am trying to get users to access devices through NAT from the inside using the external interface. I have tried a domainless NAT configuration as well but I am back to what I guess you'd call a more standard NAT as of now. I know DNS plays into this as well so thank you for your help. The windows domain is local.domain.com and main local network is 192.168.10.0. Users get primary DNS server through DHCP which is 192.168.10.2 with 18.104.22.168 as secondary. We are hosting our public website on 192.168.10.5 and we can access the website from the outside fine as I've updated the public DNS records to our ISP IP address and inside as well as long as I point clients to the local IP address. There has to be a way to access the webpage from the inside using the outside IP I would think. Also, concerning ACLs 110 and 111 would adding the statement: [ permit ip 192.168.10.0 0.0.0.255 any ] when assigning them to GigabitEthernet0/1 in keep traffic flowing normal? Would I just need to add it to one or both ACLs? If there is anything else in the configuration that looks off feel free to let me know. Thank you for your help.
... View more
Masoud, thank you for the help. You were right, configuration was correct. The error was trying to access it from the inside. The configuraton is working from the outside. I am working on a domain less NAT now to access the internal server from inside by using the external IP.
Thanks for all your help.
... View more
Here is the output:
Router#telnet 192.168.10.5 80 Trying 192.168.10.5, 80 ... Open
^[ HTTP/1.1 400 Bad Request Server: Apache-Coyote/1.1 Transfer-Encoding: chunked Date: Thu, 03 Dec 2015 03:51:44 GMT Connection: close
[Connection to 192.168.10.5 closed by foreign host] Router#telnet 192.168.10.5 80 /source-interface GigabitEthernet0/1 Trying 192.168.10.5, 80 ... Open
[Connection to 192.168.10.5 closed by foreign host]
I will let you know, the forwarding is currently working with a Cisco Small Business RV 325 router.
... View more
I am also having an issue with port forwarding if you could take a look. I belive it is also an acl issue.
Here is the config:
Router#show run Building configuration...
Current configuration : 6886 bytes ! ! Last configuration change at 14:38:49 PCTime Wed Dec 2 2015 by cisco ! NVRAM config last updated at 14:38:50 PCTime Wed Dec 2 2015 by cisco ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! logging buffered 51200 warnings ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! ! ! ! aaa session-id common clock timezone PCTime -6 0 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip domain name ******.com ip name-server ***.***.***.*** ip name-server ***.***.***.*** ip cef no ipv6 cef ! multilink bundle-name authenticated ! cts logging verbose ! crypto pki trustpoint TP-self-signed-3583770892 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3583770892 revocation-check none rsakeypair TP-self-signed-3583770892 ! ! crypto pki certificate chain TP-self-signed-3583770892 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33353833 37373038 3932301E 170D3135 31303330 31373539 35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35383337 37303839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C946 A6CADF74 6C741A1C 34359B1A FCDF1ABB 603C687D 2932FFD8 E8F734AD AD39CD93 9D3ECAAF 6655AC48 78610B0D 54D65806 1059671A F65A968F 45D2CC1A A4DA7FFE 70EA36AD 025402AA 68C1A223 579F440F 25A1B5C3 47E5594A 531C717F 98D82D31 89AEA45D C713E636 C25016C1 0FAAA7B8 64AFCB1D CA3809C9 F09B17DB C3690203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 1424A539 06C4E3E7 00EA8E14 320BD278 2B383B04 38301D06 03551D0E 04160414 24A53906 C4E3E700 EA8E1432 0BD2782B 383B0438 300D0609 2A864886 F70D0101 05050003 81810021 DE30CBDE 312E40C3 D8593040 7CE8CF57 E0099256 5F13D7A5 A4072A5F 2AC75448 D25E8CC4 F904CC9A CCC5E19E EE35A6A3 06D17838 ED96EDB9 9991451D 2734B7B5 D5029C1C DA1CE601 F0B90FA2 23BC92F8 7CB674EF D4588840 8F3864BB 04C247B9 B97724B2 2DF7170E 2C82C272 B28D5D0D 541E338A B7B739A7 05C52AB0 7553B0 quit license udi pid CISCO1921/K9 sn FJC1944E4QY ! ! username cisco privilege 15 secret 5 $1$qrmr$bu2q8oj3CMV6EKtVwwzB50 username ***** secret 5 $1$KMoY$P332dtVBLLO9k3a/PPkNo/ ! redundancy ! ! ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group ****** key ******* dns ***.***.***.*** domain ******.com pool SDM_POOL_1 acl 100 max-users 50 netmask 255.255.255.0 crypto isakmp profile ciscocp-ike-profile-1 match identity group ****** client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile CiscoCP_Profile1 set security-association idle-time 900 set transform-set ESP-3DES-SHA set isakmp-profile ciscocp-ike-profile-1 ! ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/0.10 encapsulation dot1Q 1 native ip address 192.168.10.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 192.168.20.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip address 192.168.30.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1 description WAN$ETH-WAN$ ip address ***.***.***.*** 255.255.255.224 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/1 tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ip local pool SDM_POOL_1 172.16.100.101 172.16.100.150 ip forward-protocol nd ! no ip http server ip http access-class 10 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source list 10 interface GigabitEthernet0/1 overload ip nat inside source list 20 interface GigabitEthernet0/1 overload ip nat inside source list 30 interface GigabitEthernet0/1 overload ip nat inside source list 110 interface GigabitEthernet0/1 overload ip nat inside source static tcp 192.168.10.5 80 (WAN IP) 80 extendable ip nat inside source static tcp 192.168.10.5 443 (WAN IP) 443 extendable ip nat inside source static tcp 192.168.10.5 8080 (WAN IP) 8080 extendable ip nat inside source static tcp 192.168.10.7 9675 (WAN IP) 9675 extendable ip route 0.0.0.0 0.0.0.0 (WAN GATEWAY IP) ip route 192.168.20.0 255.255.255.0 (WAN GATEWAY IP) ip route 192.168.30.0 255.255.255.0 (WAN GATEWAY IP) ! ! ! access-list 10 remark CCP_ACL Category=18 access-list 10 permit 192.168.10.0 0.0.0.255 access-list 20 permit 192.168.20.0 0.0.0.255 access-list 30 permit 192.168.30.0 0.0.0.255 access-list 110 permit tcp any host (WAN IP) eq www access-list 110 permit tcp any host (WAN IP) eq 8080 access-list 110 permit tcp any host (WAN IP) eq 443 access-list 110 permit ip any any access-list 110 permit ip 192.168.10.0 0.0.0.255 any ! ! ! control-plane ! ! banner exec ^C % Password expiration warning. -----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to use.
----------------------------------------------------------------------- ^C ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 transport input telnet ssh line vty 5 15 transport input telnet ssh ! scheduler allocate 20000 1000 ! end
... View more