I have setup a webpage written in IIS. The webpage allows contractors outside our corporate Network to login and fill in forms that i can process. I have a Cisco router sitting on the edge of our network. I want to secure this Cisco 1800 router so that it can only be used for accessing this particular web server page and nothing else. I want the Cisco router to be able to go out onto the internet - unrestricted. But from the outside world in - it can only hit this web server.
I have tried to setup the NAT on the router. I can successfully go out to the internet but cant hit the webpage coming back in. I have setup an Access List but it is obviously not quite right. Could anyone take a look at the config and see it they spot anything obvious. Any advice is welcome.
I now have an A record configured to point mywebsite to xx.xxx.xxx.x which is my dialer0 address for the wireless cisco router in my office. The website has an internal address of 192.168.2.100
The pc i have the website running on is cabled into the wireless router on fast ethernet 0/2 I want to be able to hit this website mywebsite from the outside world. So if anyone can take a look at my config and advise what changes i need to make to be able to hit the site it would be appreciated.
i have attached the config of the cisco wireless router.
When I clicked on the hyperlink www.captrax2.niwater.com in my browser, it displayed a page saying "Under construction" and the webserver serving this page is MS IIS. If that is your internal webserver then I just connected to it succesfully. Perhaps there are some issues with connecting to the public IP address of your webserver from within your internal network. In your network, if you want to access the webserver you need to use the internal IP address 192.168.2.100. Accessing the public IP address will not work in your case - the public IP address is owned by your router and you would be talking to your router instead of your webserver.
Does the server pc that runs the website need to be on a domain because its only a workgroup at the moment.
I don't think so. The webserver should not be bound to the domain in any particular sense (except perhaps for authentication purposes). But I have only very little experience with Microsoft server products so this is only my personal opinion. In any case, it seems that I am actually talking to your webserver (check its logs if you find that it has been accessed at around 21:32 GMT on January 20th from 184.108.40.206).
I hope we are getting closer to have this solved once and for good
This does not make any sense to me. Assuming that the address x.x.x.x in your configuration is not from the 192.168.2.0/24 network, I do not see any reason why your NAT table should contain the entries you have posted earlier.
Can you please run the command clear ip nat translation * followed immediately by the show ip nat translation command, capture the entire output and posting it here? Please note that the clear command will cause intermittent connection failures for internal workstations that have some opened sessions with the outside world.
Also can you post the exact version of the device and IOS you are running? The show version would be fine.
Sorry for pulling more and more information from you but so far the configuration appears OK to me.
For hardening for cisco devices check out the belwo link recommendation from cisco for hardening of devices.
and as you said you are not able to hit the web page can u do simple test from internet just telnet on port 80 of the public ip IIS server.Is it working or not .
If not then ACL needs to be checked for sucessful port communication on port 80.
A couple of comments.
You have the no ip classless command present in your configuration. While this command is inactive because you are running CEF, this command would activate the classful routing which is an old and nowadays unsuitable method of performing routing table lookup. Without going into too much details, you certainly do not want that. Change the command to the ip classless in your global configuration mode.
Next, you seem to be running the HTTP server on your router. In order to remove the ambiguosity whether the incoming TCP connection to the IP address x.x.x.x:80 is destined for your router or for the internal IP address 192.168.2.100, I suggest deactivating it using the no ip http server and no ip http secure-server in your global configuration. Note that after deactivating the HTTP server, you will no longer be able to configure the router using the SDM until you reactivate the HTTP server again.
You may want to temporarily remove the OUTSIDE-IN and OUTSIDE-OUT ACLs from your Dialer0 interface and try accessing the internal web just to be sure that they are not the cause of the problem. There does not seem to be any problem with these ACLs, though, so I doubt removing them will help but let's leave no stone unturned.
The NAT configuration appears to be OK to me. Is it possible that it is your ISP who actually filters out the web traffic coming onto the IP address x.x.x.x from the outside? I would not be surprised if the ISP actually dropped all TCP SYN packets destined for customers. You may want to talk to him and make sure that he is not filter any traffic going towards you.