877W "port forwarding" with dynamic IP address

Unanswered Question
May 27th, 2007

Hello all,

I have a Cisco 877W router that is connecting successfully to SBC DSL service. We can get out to the internet just fine, browse the web just fine (though I do have another question about DNS and what the clients "see" as their DNS server, see my other post for more info there...), but for some reason I can't seem to get it to forward traffic coming in on port 80 to my web server.

Please see the attached document for the current running config.

Now, I have tried numerous variations of

ip nat inside source static tcp 192.168.1.66 80 interface Dialer0 80

But even after doing this, if I type in my external IP address in a web browser, instead I get the login for getting in to the Cisco router!! So to get around this, instead I tried to change the port of the web server to something arbitrary like 88. I can get to it just fine locally, and then I run this on the router

ip nat inside source static tcp 192.168.1.66 88 interface Dialer0 88

But when I go to my public ip address port 88 in my web browser, no luck!

Anyone see what I'm doing wrong?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Paolo Bevilacqua Sun, 05/27/2007 - 18:36

Hi,

once you disable ip http server you should be able to forward port 80. Not sure why the port 88 forward didn't worked anyway.

joshgrisham Sun, 05/27/2007 - 18:44

Thanks for the note back! Unfortunately I tried this and it did not work also. However it is good to know I will need to turn this off to get it to work on 80 correctly!

Kind of off-topic, is there a way to change the router so it is listening for http on something other then port 80?

Back on topic now...

I think it might have something to do with either the Vlan, the BVI, and/or both? You'll have to excuse me for not being much of a Cisco person, but I think in this case isn't the VLAN acting as kind of a firewall? So I'm trying to forward the ports from my inside interface but my firewall is blocking because it doesn't have any forwarding set up maybe?

Paolo Bevilacqua Sun, 05/27/2007 - 18:55

Hi,

to change port for the web server, configure "ip http port ..".

You have some firewall configured by the use of "ip inspect", and since you have NAT, that is implicitly blocking anything from outside that doesn't have a translation built already. BVI1 is not playing a special role in that.

Now the interesting thing is that you have

access-list 101 deny ip any any

in the ACL applied to dialer0, not sure if that was generated by SDM, but I don't think it should be there, unless for some reason NAT is already overrding it.

joshgrisham Mon, 05/28/2007 - 17:46

Thanks for your comments! We are getting closer...

The only thing now is, I can hit the web server using outside ip address or domain name just fine from outside of the network, but if I'm going at it from inside the network it doesn't work!

Soooo.. what I've done instead for the time being is set up direct routes using the ip host command.

But for some reason it's not working to work for some computers, but working just fine for others!

Anyone have thoughts why some clients wouldn't be getting all of the correct routing from the ip host command, while others get it just fine?

And for my sanity, maybe if someone can see something in the firewall or anything why you wouldn't be able to hit the domain name in a web browser from inside the network, but outside it works just fine ?? Also if you just type in the internal IP address of the web server from inside the network, well that works fine too! :P And again, setting ip host [domain] [port] [ip] works for only some clients but not others!

Paolo Bevilacqua Tue, 05/29/2007 - 06:59

Hi,

the thing is that because of DNS, the internal PCs may be trying to reach the servers using the public address, thing that obviously won't work.

If you absolutely need to reach servers by same name inside and outside, there are certain DSN servers that can send back different replies based on who is asking for name resolution. I have not checked if the IOS one can do that anyway.

Actions

Login or Register to take actions

This Discussion

Posted May 27, 2007 at 6:18 PM
Stats:
Replies:5 Avg. Rating:
Views:1243 Votes:0
Shares:0
Tags: No tags.
 

Discussions Leaderboard