cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
936
Views
0
Helpful
3
Replies

Accessing a local server web service over the internet

femi.agboade
Level 1
Level 1

Hello,

This is not the first time i will configure over the internet access to a local server but this particular one is giving me a major headache and i thought to share the config with anyone who can help ppoint where the problem may be. While my NAT transalations seem to be working, when i attempt to browse the public IP, i am supposed to be routed to the local server, but this doesnt happen and i just get a blank page on my web browser. Please see config below:

J#sh run

Building configuration...

Current configuration : 5368 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname J

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$aNyD$j4lIgFXI84Xp9RR5dzwVk0

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone PCTime 1

!

crypto pki trustpoint TP-self-signed-1366127775

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1366127775

revocation-check none

rsakeypair TP-self-signed-1366127775

!

!

crypto pki certificate chain TP-self-signed-1366127775

certificate self-signed 01

  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31333636 31323737 3735301E 170D3032 30333031 30303533

  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33363631

  32373737 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CCDC 58E9E078 C978DBC5 CD0D97A0 6B506E2B 4843F38C 578721BF 285EC7BF

  F3700E9C FAD9233C A4CC95F6 F29FE5CD 4664F85F 862FB879 1255F21B 725A2773

  E1E4BEC0 632A7FFD C383F08E D5FAA4FC 4558BE6B 1B383D7E 19A871F6 3BAB9BAE

  B7CB84BB 510A09A3 FA260893 B0BD5AB1 027C97C6 2B2D2B6C AE2683FC AC3015B6

  CE8F0203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603

  551D1104 21301F82 1D4C494E 45545241 4C455F41 424A2E6C 696E6574 72616C65

  2E6C6F63 616C301F 0603551D 23041830 16801434 DD7F3F33 59A951AA 1BBBF414

  59302323 10248530 1D060355 1D0E0416 041434DD 7F3F3359 A951AA1B BBF41459

  30232310 2485300D 06092A86 4886F70D 01010405 00038181 00A9C9DF 5D2F2042

  0AA151FF 72F7D52A 8244C102 4AEDDB6E C7FBA201 A283D693 5F5E9376 0D15E7FE

  EBB804A5 C08F6CA1 A416118F D5A06864 EF242404 091F2FFE 3F85B0DE 98E1F747

  AC5FBBDE 1E27AE14 64D71B5F A1A48EC7 90882BD2 C3617E7C 8D6426A0 EDA23AB1

  32350B15 5E2489F6 018A76A0 3E1595DA 6797723E 563D268A 66

            quit

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.111 192.168.1.254

!

ip dhcp pool J

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.254

   domain-name linetrale.local

   dns-server 192.168.1.254

!

!

no ip bootp server

ip domain name linetrale.local

!

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface FastEthernet0

switchport access vlan 101

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN_FW_OUTSIDE$ETH-WAN$

ip address x.x.x.x 255.255.255.192

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip nat outside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1380

duplex auto

speed auto

!

interface Vlan1

no ip address

!

interface Vlan101

description LAN_FW_INSIDE

ip address 192.168.1.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip route-cache flow

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 y.y.y.y

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.243 80 x.x.x.x 80 extendable

! x.x.x.x is the public IP

access-list 1 remark INSIDE_IF=VLAN101

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

!

!

!

control-plane

!

!

line con 0

no modem enable

transport output telnet

speed 115200

line aux 0

modem InOut

transport output telnet

stopbits 1

speed 115200

flowcontrol hardware

line vty 0 4

privilege level 15

terminal-type moni

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Any help will be really appreciated.

Regards,

Femi

3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

Hi,

from where are you browsing your public IP?

Is your SVI up/up?

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Alain,

Browsing the public IP from a remote location to the site, so its over the internet.

Not sure I understand what you refer to as SVI, could this be the VLAN? If it is, then I can say it is up because I can ping the server which is on this VLAN from within the router when I log into it. Also, when I am within the LAN, I am able to browse to the local IP on the server.

I suspect some firewall or access list issue may be preventing something...

Regards,

Femi

Hi,

your config looks good and you surely on the good track can you post your topology and was this your complete config because there were some IPSec snippets but incomplete ones.

First thing is do your host receives the packets? sniff the interface to see that

Regards.

Alain

Don't forget to rate helpful posts.