11-14-2011 06:11 PM
Hello,
This is not the first time i will configure over the internet access to a local server but this particular one is giving me a major headache and i thought to share the config with anyone who can help ppoint where the problem may be. While my NAT transalations seem to be working, when i attempt to browse the public IP, i am supposed to be routed to the local server, but this doesnt happen and i just get a blank page on my web browser. Please see config below:
J#sh run
Building configuration...
Current configuration : 5368 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname J
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aNyD$j4lIgFXI84Xp9RR5dzwVk0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime 1
!
crypto pki trustpoint TP-self-signed-1366127775
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1366127775
revocation-check none
rsakeypair TP-self-signed-1366127775
!
!
crypto pki certificate chain TP-self-signed-1366127775
certificate self-signed 01
30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333636 31323737 3735301E 170D3032 30333031 30303533
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33363631
32373737 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CCDC 58E9E078 C978DBC5 CD0D97A0 6B506E2B 4843F38C 578721BF 285EC7BF
F3700E9C FAD9233C A4CC95F6 F29FE5CD 4664F85F 862FB879 1255F21B 725A2773
E1E4BEC0 632A7FFD C383F08E D5FAA4FC 4558BE6B 1B383D7E 19A871F6 3BAB9BAE
B7CB84BB 510A09A3 FA260893 B0BD5AB1 027C97C6 2B2D2B6C AE2683FC AC3015B6
CE8F0203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
551D1104 21301F82 1D4C494E 45545241 4C455F41 424A2E6C 696E6574 72616C65
2E6C6F63 616C301F 0603551D 23041830 16801434 DD7F3F33 59A951AA 1BBBF414
59302323 10248530 1D060355 1D0E0416 041434DD 7F3F3359 A951AA1B BBF41459
30232310 2485300D 06092A86 4886F70D 01010405 00038181 00A9C9DF 5D2F2042
0AA151FF 72F7D52A 8244C102 4AEDDB6E C7FBA201 A283D693 5F5E9376 0D15E7FE
EBB804A5 C08F6CA1 A416118F D5A06864 EF242404 091F2FFE 3F85B0DE 98E1F747
AC5FBBDE 1E27AE14 64D71B5F A1A48EC7 90882BD2 C3617E7C 8D6426A0 EDA23AB1
32350B15 5E2489F6 018A76A0 3E1595DA 6797723E 563D268A 66
quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.111 192.168.1.254
!
ip dhcp pool J
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
domain-name linetrale.local
dns-server 192.168.1.254
!
!
no ip bootp server
ip domain name linetrale.local
!
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
switchport access vlan 101
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN_FW_OUTSIDE$ETH-WAN$
ip address x.x.x.x 255.255.255.192
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1380
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan101
description LAN_FW_INSIDE
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 y.y.y.y
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.243 80 x.x.x.x 80 extendable
! x.x.x.x is the public IP
access-list 1 remark INSIDE_IF=VLAN101
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
no modem enable
transport output telnet
speed 115200
line aux 0
modem InOut
transport output telnet
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
privilege level 15
terminal-type moni
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Any help will be really appreciated.
Regards,
Femi
11-15-2011 11:10 AM
Hi,
from where are you browsing your public IP?
Is your SVI up/up?
Regards.
Alain.
11-15-2011 11:24 AM
Hi Alain,
Browsing the public IP from a remote location to the site, so its over the internet.
Not sure I understand what you refer to as SVI, could this be the VLAN? If it is, then I can say it is up because I can ping the server which is on this VLAN from within the router when I log into it. Also, when I am within the LAN, I am able to browse to the local IP on the server.
I suspect some firewall or access list issue may be preventing something...
Regards,
Femi
11-16-2011 12:35 AM
Hi,
your config looks good and you surely on the good track can you post your topology and was this your complete config because there were some IPSec snippets but incomplete ones.
First thing is do your host receives the packets? sniff the interface to see that
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide