09-07-2008 11:18 AM - edited 03-06-2019 01:13 AM
Problem:
I am trying to setup my Cisco 1721 to route traffic from a WAN to two Ethernet interfaces where one is a DMZ and the other is a trusted LAN with NAT. I am having trouble getting the correct configuration built that allows both the DMZ and the LAN to access the internet(HTTP).
Equipment:
I have a Cisco 1721 with an enterprise 12.4 IOS. In the router is one FastEthernet and two Ethernet ports.
Layout:
Eth0 - 10.1.1.1/24 DMZ
Eth1 - DHCP WAN
Fa0 - 192.168.1.1/24 LAN
My current configuration:
The configuration is stripped down. At the moment, I'm trying to get internet(HTTP) access to the DMZ. With this configuration, the LAN has HTTP access but the DMZ doesn't. However, the DMZ can ping out and you can see it in the NAT translation table. You can find the show command after the configuration.
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ntp
no ip ips deny-action ips-interface
!
!
interface Ethernet0
description DMZ
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip inspect SDM_LOW out
ip virtual-reassembly
full-duplex
!
interface Ethernet1
description WAN$FW_OUTSIDE$
ip address dhcp
ip access-group 101 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
half-duplex
!
interface FastEthernet0
description Trusted
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip inspect SDM_LOW out
ip virtual-reassembly
speed auto
!
ip classless
!
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 remark NAT ACL
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 103 permit ip any any
router(config-if)#do sh ip nat tra
Pro Inside global Inside local Outside local Outside global
icmp 208.xx.xx.xx:512 10.1.1.2:512 4.2.2.2:512 4.2.2.2:512
icmp 208.xx.xx.xx:1024 192.168.1.19:1024 205.171.3.65:1024 205.171.3.65:1024
Anyone have a suggestion on why I cannot access the web(HTTP) on the DMZ?
09-07-2008 01:48 PM
It does not look like you have a nat statement allowing access from the Internet to port 80 getting translated to a DMZ host.
You do allow DMZ to the Internet and you do allow Trusted to the Internet and those both do so via port address translation "PAT".
You need a static DMZ to Internet port 80 mapping.
Here is a Cisco document demonstrating it.http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml
You only have to modify the
"ip nat dmz source static tcp 192.168.0.5 80 Ethernet1 80"
line to change the 192.168.0.5 addresses to what is appropriate for your network.
09-07-2008 03:45 PM
rrowlandkumc:
Static NAT port mapping is my next step. My current step is figuring out why hosts in the trusted LAN have web access to the internet while ones in the the DMZ don't.
As in, I'm on a workstation under each Ethernet interface trying to go to cnn.com.
09-07-2008 04:21 PM
If you put an Internet IP [ http://www.ibm.com == 129.42.56.216 ] into your browser does that work ? ( ruling out dns related issue first which could be routing ).
And also perhaps do a traceroute 129.... to see what happens then.
Try to go to Internet and do a "show ip nat trans ..." and you'll see the translations.
Heres a Cisco help page ..
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094c32.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: