10-04-2006 08:34 AM
Hello,
I configured this router to use NAT overloaded to get access for any computer on the LAN to Internet.
I configured (I thnik) a static routes to get in the LAN WebServer from outside, but there is no effect, I can't reach the server. Could help please:
********* cut **********
show config
Using 1842 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
clock timezone Paris 1
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
!
!
ip cef
!
no ip domain lookup
ip name-server 194.x.x.100
ip name-server 194.x.x.101
!
!
crypto pki trustpoint TP-self-signed-1487781583
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1487781583
revocation-check none
rsakeypair TP-self-signed-1487781583
!
!
crypto pki certificate chain TP-self-signed-1487781583
certificate self-signed 01 nvram:IOS-Self-Sig#3301.cer
username MyUser privilege 15 password 0 MyPassword
!
!
!
!
interface FastEthernet0/0
description LAN Plainsa Cuenca$ETH-LAN$
ip address 192.168.0.2 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.2 point-to-point
ip address "My Public IP" 255.255.255.192
ip nat outside
no snmp trap link-status
pvc 8/32
encapsulation aal5snap
!
ip route 0.0.0.0 0.0.0.0 ATM0/0/0.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface ATM0/0/0.2 overload
ip nat inside source static tcp 192.168.0.3 21 interface ATM0/0/0.2 21
ip nat inside source static tcp 192.168.0.19 80 interface ATM0/0/0.2 81
ip nat inside source static tcp 192.168.0.3 3389 interface ATM0/0/0.2 3389
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
******** end cut *******
this is the debug info of "debug ip nat detailed" (the address 217.x.x.217 is not the real address, I change it in this letter only):
*Oct 4 17:29:20.631: NAT*: o: tcp (83.34.16.82, 12200) -> (217.217.217.217, 81) [53017]
*Oct 4 17:29:20.631: NAT*: o: tcp (83.34.16.82, 12200) -> (217.217.217.217, 81) [53017]
*Oct 4 17:29:20.631: NAT*: TCP s=12200, d=81->80
*Oct 4 17:29:20.631: NAT*: s=83.34.16.82, d=217.217.217.217->192.168.0.19 [53017]
*Oct 4 17:29:23.599: NAT*: o: tcp (83.34.16.82, 12200) -> (217.217.217.217, 81) [53020]
*Oct 4 17:29:23.599: NAT*: TCP s=12200, d=81->80
*Oct 4 17:29:23.603: NAT*: s=83.34.16.82, d=217.217.217.217->192.168.0.19 [53020]
*Oct 4 17:29:29.607: NAT*: o: tcp (83.34.16.82, 12200) -> (217.217.217.217, 81) [53022]
*Oct 4 17:29:29.607: NAT*: TCP s=12200, d=81->80
*Oct 4 17:29:29.607: NAT*: s=83.34.16.82, d=217.217.217.217->192.168.0.19 [53022]
*Oct 4 17:30:29.775: NAT: expiring 217.217.217.217 (192.168.0.19) tcp 81 (80)
Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 217.217.217.217:21 192.168.0.3:21 --- ---
tcp 217.217.217.217:3389 192.168.0.3:3389 --- ---
tcp 217.217.217.217:81 192.168.0.19:80 83.34.16.82:12202 83.34.16.82:12202
tcp 217.217.217.217:81 192.168.0.19:80 --- ---
Thank you in advance!
10-04-2006 08:44 AM
Hi,
your nat statement
ip nat inside source static tcp 192.168.0.19 80 interface ATM0/0/0.2 81
Why are you using port 81 instead of port 80 Global IP(atm0/0/0.2 81)
Are you trying to reach the web server from outside using port 81
example x.x.x.x:81
or change the your nat statement to:
ip nat inside source static tcp 192.168.0.19 80 interface ATM0/0/0.2 80
HTH
Thanks,
Raj
10-04-2006 08:48 AM
Hi Raj,
yes I type in my web browser X.X.X.X:81. I try in my FTP softwaer X.X.X.X but without reach it.
But localy I get in the web-server and ftp-server whithout any problem.
Tnahk you.
10-04-2006 08:50 AM
Hi,
Can you post me ur show ip route output
Thanks
Raj
10-04-2006 08:56 AM
Yes, I can:
Router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
217.217.217.0/26 is subnetted, 1 subnets
C 217.217.217.0 is directly connected, ATM0/0/0.2
C 192.168.0.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, ATM0/0/0.2
My server is 192.168.0.3 but I install a web-server and ftp server on pc with 192.168.0.19 to check if the possible problem is the server. But it is not I think.
I have nat from port 81 to 80, because I have switchet on the http server on the 2811 and if I type the public IP address it's "open" the router 2811.
Tnx
Kiril.
10-04-2006 09:06 AM
Hi,
I find all ur config fine .
Try to change this statement
ip nat inside source static tcp local ip 80 wan ip 81 extendable
for additional information check this site
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a8d0.shtml
HTH
Thanks
Raj
10-04-2006 09:29 AM
Hi Raj,
when I introduce it the router "says":
% similar static entry (192.168.0.19 -> 217.217.217.217) already exists
I delete the "original" and post yours:
ip nat inside source static tcp 192.168.0.3 80 217.217.217.217 81 extendable
There is a document that describes the web-server from outside, I think I did anythink:
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml
Maybe I go to delete the configuration and begin from 0.
Thank you
10-04-2006 09:41 AM
Hi,
Thats a good idea to start from first..
Good luck
Thanks
Raj
10-04-2006 11:05 AM
Hi Raj,
No solution, with the configuration from the link you send to me - the result is the same - can't connect "inside".
Thank You.
10-07-2006 07:07 PM
Hi,
Can you remove the static NAT config using the ATM0/0/0.2 interface and replace it with the static command to use the global IP instead as follows.
no ip nat inside source static tcp 192.168.0.19 80 interface ATM0/0/0.2 81
ip nat inside source static tcp 192.168.0.19 80 217.217.217.217 81 extendable
Let us know if this helps!!
HTH
Sundar
11-04-2006 07:11 AM
Hi,
I am having a similar configuration. I have an internal web server that is reachable from the internet, but when an internal client tries to access this web server from the inside with its DNS name, the connection fails. In fact, NAT takes palce for the connection from the inside client to the outside router interface, but then the statical NAT from the outside back in to the web server does not work.
Any idea?
Regards,
Oliver
11-04-2006 07:39 AM
Hello,
I think that your inside connection don't have to go out and than in the ethernet. do you have a lan dns server? check if a "A" register for the name of the web server is assigned.
if you don't have a internal dns server, the problem could be a type of your IP DHCP about of WINS client (b-node, p-node, m-node, h-node - more detail: http://support.microsoft.com/kb/160177) - if the type is only to search the dns server without broadcasting then the client will go out do outside DNS server to resolve the ip address of your internal web server - and he does not be find it.
Regards, Kiril.
11-06-2006 12:11 AM
Dear kirilkoltchakov,
You mentioned that you type in your web browser x.x.x.x:81, note that if your webserver is running on port 81 then on the nat statemnet we should have the port 81 associated with the internal ip address, (192.168.0.19 81)
ip nat inside source static tcp 192.168.0.19 81 interface ATM0/0/0.2 81
leave it on the external interface 81 for now and try it http://External.IP.Add:81
11-06-2006 12:54 AM
Hi wpharaon,
yes is that I do, but can't reach inside in my LAN:
Thang you.
11-07-2006 05:10 PM
Hi,
Can you try like below:
ip nat inside source static tcp 192.168.0.19 80 217.217.217.217 81 route-map web_server_test
ip access-list extended web_server
permit ip host 192.168.0.19 any
route-map web_server_test permit 1
match ip address web_server
If it works, then same way setup for ftp and other ports.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide