IP to name mapping

Answered Question
Jan 15th, 2010

Hello,

I have setup a webpage written in IIS.  The webpage allows contractors outside our corporate Network to login and fill in forms that i can process.  I have a Cisco router sitting on the edge of our network.  I want to secure this Cisco 1800 router so that it can only be used for accessing this particular web server page and nothing else.  I want the Cisco router to be able to go out onto the internet - unrestricted.  But from the outside world in - it can only hit this web server.

I have tried to setup the NAT on the router.  I can successfully go out to the internet but cant hit the webpage coming back in.  I have setup an Access List but it is obviously not quite right.  Could anyone take a look at the config and see it they spot anything obvious. Any advice is welcome.

I now have an A record configured to point mywebsite to xx.xxx.xxx.x which is my dialer0 address for the wireless cisco router in my office. The website has an internal address of 192.168.2.100

The pc i have the website running on is cabled into the wireless router on fast ethernet 0/2 I want to be able to hit this website mywebsite from the outside world.  So if anyone can take a look at my config and advise what changes i need to make to be able to hit the site it would be appreciated.

i have attached the config of the cisco wireless router.

thanks

Kevin

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 6 years 12 months ago

Kevin,

When I clicked on the hyperlink www.captrax2.niwater.com in my browser, it displayed a page saying "Under construction" and the webserver serving this page is MS IIS. If that is your internal webserver then I just connected to it succesfully. Perhaps there are some issues with connecting to the public IP address of your webserver from within your internal network. In your network, if you want to access the webserver you need to use the internal IP address 192.168.2.100. Accessing the public IP address will not work in your case - the public IP address is owned by your router and you would be talking to your router instead of your webserver.

Does the server pc that runs the website need to be on a domain because its only a workgroup at the moment.

I don't think so. The webserver should not be bound to the domain in any particular sense (except perhaps for authentication purposes). But I have only very little experience with Microsoft server products so this is only my personal opinion. In any case, it seems that I am actually talking to your webserver (check its logs if you find that it has been accessed at around 21:32 GMT on January 20th from 158.193.138.40).

I hope we are getting closer to have this solved once and for good

Best regards,

Peter

Correct Answer by Peter Paluch about 6 years 12 months ago

Kevin,

This does not make any sense to me. Assuming that the address x.x.x.x in your configuration is not from the 192.168.2.0/24 network, I do not see any reason why your NAT table should contain the entries you have posted earlier.

Can you please run the command clear ip nat translation * followed immediately by the show ip nat translation command, capture the entire output and posting it here? Please note that the clear command will cause intermittent connection failures for internal workstations that have some opened sessions with the outside world.

Also can you post the exact version of the device and IOS you are running? The show version would be fine.

Sorry for pulling more and more information from you but so far the configuration appears OK to me.

Best regards,

Peter

Correct Answer by Ganesh Hariharan about 7 years 2 days ago

Hi Kevin,

For hardening for cisco devices check out the belwo link recommendation from cisco for hardening of devices.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

and as you said you are not able to hit the web page can u do simple test from internet just telnet on port 80 of the public ip IIS server.Is it working or not .

If not then ACL needs to be checked for sucessful port communication on port 80.

HTH

Regards

Ganesh.H

Correct Answer by Peter Paluch about 7 years 2 days ago

Hi Kevin,

A couple of comments.

You have the no ip classless command present in your configuration. While this command is inactive because you are running CEF, this command would activate the classful routing which is an old and nowadays unsuitable method of performing routing table lookup. Without going into too much details, you certainly do not want that. Change the command to the ip classless in your global configuration mode.

Next, you seem to be running the HTTP server on your router. In order to remove the ambiguosity whether the incoming TCP connection to the IP address x.x.x.x:80 is destined for your router or for the internal IP address 192.168.2.100, I suggest deactivating it using the no ip http server and no ip http secure-server in your global configuration. Note that after deactivating the HTTP server, you will no longer be able to configure the router using the SDM until you reactivate the HTTP server again.

You may want to temporarily remove the OUTSIDE-IN and OUTSIDE-OUT ACLs from your Dialer0 interface and try accessing the internal web just to be sure that they are not the cause of the problem. There does not seem to be any problem with these ACLs, though, so I doubt removing them will help but let's leave no stone unturned.

The NAT configuration appears to be OK to me. Is it possible that it is your ISP who actually filters out the web traffic coming onto the IP address x.x.x.x from the outside? I would not be surprised if the ISP actually dropped all TCP SYN packets destined for customers. You may want to talk to him and make sure that he is not filter any traffic going towards you.


Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Peter Paluch Fri, 01/15/2010 - 15:20

Hi Kevin,

A couple of comments.

You have the no ip classless command present in your configuration. While this command is inactive because you are running CEF, this command would activate the classful routing which is an old and nowadays unsuitable method of performing routing table lookup. Without going into too much details, you certainly do not want that. Change the command to the ip classless in your global configuration mode.

Next, you seem to be running the HTTP server on your router. In order to remove the ambiguosity whether the incoming TCP connection to the IP address x.x.x.x:80 is destined for your router or for the internal IP address 192.168.2.100, I suggest deactivating it using the no ip http server and no ip http secure-server in your global configuration. Note that after deactivating the HTTP server, you will no longer be able to configure the router using the SDM until you reactivate the HTTP server again.

You may want to temporarily remove the OUTSIDE-IN and OUTSIDE-OUT ACLs from your Dialer0 interface and try accessing the internal web just to be sure that they are not the cause of the problem. There does not seem to be any problem with these ACLs, though, so I doubt removing them will help but let's leave no stone unturned.

The NAT configuration appears to be OK to me. Is it possible that it is your ISP who actually filters out the web traffic coming onto the IP address x.x.x.x from the outside? I would not be surprised if the ISP actually dropped all TCP SYN packets destined for customers. You may want to talk to him and make sure that he is not filter any traffic going towards you.


Best regards,

Peter

ohareka70 Tue, 01/19/2010 - 06:09

Peter,

Thanks for the assistance.  I did what you recommended but no luck so far.  I cant be far away though:

I am getting this when i do a show ip nat translations

tcp x.x.x.x 80.x.x.x:80 217.33.137.49:7639 217.33.137.49:7639

tcp x.x.x.x:80 x.x.x.x:80 217.33.137.49:7640 217.33.137.49:7640

tcp x.x.x.x:80 x.x.x.x:80 217.33.137.49:7644 217.33.137.49:7644

any ideas.

One of my colleagues thinks i dont have the IP nat quite right.

regards

Kevin

Correct Answer
Ganesh Hariharan Sat, 01/16/2010 - 03:48

Hi Kevin,

For hardening for cisco devices check out the belwo link recommendation from cisco for hardening of devices.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

and as you said you are not able to hit the web page can u do simple test from internet just telnet on port 80 of the public ip IIS server.Is it working or not .

If not then ACL needs to be checked for sucessful port communication on port 80.

HTH

Regards

Ganesh.H

Peter Paluch Tue, 01/19/2010 - 08:02

Hello Kevin,

The show ip nat translation output you have posted here has raised my suspicion: notice that it tells you that neither the source nor the destination addresses in the packets flowing through your router are being translated. The columns inside local and inside global contain the same IP address, and the columns outside local and outside global also contain the same address. According to the configuration you have posted in your original post, that should not take place at all.

Can you download the most recent configuration of your router, remove the sensitive information and post it here again?

One of my colleagues thinks i dont have the IP nat quite right.

I may have overlooked something in your original configuration but I have went over it and so far, I cannot find anything wrong with your NAT configuration. Was your colleague perhaps more specific about what he/she didn't like about it?

Best regards,

Peter

ohareka70 Tue, 01/19/2010 - 09:14

Peter,

He thinks this line isnt forwarding the traffic from the outside dialer0 address to the inside 192.168.2.100 (web server address) but he doesnt know how to coorrect it.

ip nat inside source static tcp 192.168.2.100 80 x.x.x.x 80 extendable

any advice is welcome - i know this is not easy.

regards

Kevin

Correct Answer
Peter Paluch Tue, 01/19/2010 - 09:53

Kevin,

This does not make any sense to me. Assuming that the address x.x.x.x in your configuration is not from the 192.168.2.0/24 network, I do not see any reason why your NAT table should contain the entries you have posted earlier.

Can you please run the command clear ip nat translation * followed immediately by the show ip nat translation command, capture the entire output and posting it here? Please note that the clear command will cause intermittent connection failures for internal workstations that have some opened sessions with the outside world.

Also can you post the exact version of the device and IOS you are running? The show version would be fine.

Sorry for pulling more and more information from you but so far the configuration appears OK to me.

Best regards,

Peter

ohareka70 Wed, 01/20/2010 - 06:51

Peter

Here is the details you were looking:

rtrWestlDSL01#clear ip nat translation *

rtrWestlDSL01#show ip nat translation

Pro Inside global      Inside local       Outside local      Outside global

tcp x.x.x.x:80    x.x.x.x:80    ---                ---

udp x.x.x.x:137   192.168.2.31:137   10.218.130.4:137   10.218.130.4:137

udp x.x.x.x:137   192.168.2.31:137   10.224.2.6:137     10.224.2.6:137

tcp x.x.x.x:1195  192.168.2.31:1195  91.121.91.172:8905 91.121.91.172:8905

tcp x.x.x.x:80   192.168.2.100:80   ---                ---

tcp x.x.x.x:443   192.168.2.100:443  ---                ---

rtrWestlDSL01#sh version

Cisco IOS Software, C180X Software (C180X-BROADBAND-M), Version 12.4(6)T7, RELEASE SOFTWARE (fc5)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Thu 29-Mar-07 02:43 by khuie

ROM: System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)

rtrWestlDSL01 uptime is 6 weeks, 1 hour, 23 minutes

System returned to ROM by power-on

System image file is "flash:c180x-broadband-mz.124-6.T7.bin"

Cisco 1801 (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.

Processor board ID FCZ112120F4, with hardware revision 0000

9 FastEthernet interfaces

1 ISDN Basic Rate interface

1 ATM interface

31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

regards

Kevin

Peter Paluch Wed, 01/20/2010 - 09:42

Kevin,

Look at these three entries extracted from your show ip nat tran output:

Pro Inside global      Inside local       Outside local      Outside global
tcp x.x.x.x:80         x.x.x.x:80         ---                ---
tcp x.x.x.x:80         192.168.2.100:80   ---                ---
tcp x.x.x.x:443        192.168.2.100:443  ---                ---

The second and third entry are correct and they correspond to the ip nat inside source static lines in your configuration. However, the first entry - assuming that you have not made any mistake when replacing the real IP addresses with x.x.x.x - is incorrect as there is no corresponding command in your running configuration for such a line to be present in the NAT table, and besides that, it tells your router that there should be basically no translation of the address x.x.x.x at all.

I have noticed that the router is running over 6 weeks and that it runs quite an outdated IOS version. My first suggestion is to try to reload the router (remember to save the configuration beforehand). The second suggestion is to try to upgrade to a newer IOS as this line suggests that there is probably something fishy going inside the IOS version you're using.

Can you afford reloading the router? The connectivity will be broken for some 5 minutes, as these routers boot slowly and the DSL line training takes a minute or so, but I very much recommend trying that.

Best regards,

Peter

ohareka70 Wed, 01/20/2010 - 11:33

Peter,

rtrWestlDSL01# sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
udp xx.xxx.xxx.x:2     192.168.2.39:137   10.218.130.4:137   10.218.130.4:137
udp xx.xxx.xxx.x:1     192.168.2.39:137   10.224.2.6:137     10.224.2.6:137
udp xx.xxx.xxx.x:1236  192.168.2.39:1236  10.224.0.42:161    10.224.0.42:161
udp xx.xxx.xxx.x:2694  192.168.2.39:2694  10.218.130.1:389   10.218.130.1:389
udp xx.xxx.xxx.x:2695  192.168.2.39:2695  10.218.130.1:389   10.218.130.1:389
tcp xx.xxx.xxx.x:2696  192.168.2.39:2696  10.224.2.159:8192  10.224.2.159:8192
tcp xx.xxx.xxx.x:80    192.168.2.100:80   ---                ---
udp xx.xxx.xxx.x:137   192.168.2.100:137  10.218.130.4:137   10.218.130.4:137
udp xx.xxx.xxx.x:137   192.168.2.100:137  10.224.2.6:137     10.224.2.6:137
udp xx.xxx.xxx.x:137   192.168.2.100:137  192.168.3.255:137  192.168.3.255:137
tcp xx.xxx.xxx.x:443   192.168.2.100:443  ---                ---
udp xx.xxx.xxx.x:64164 192.168.2.100:64164 194.74.65.69:53   194.74.65.69:53

This is my laptop on the wireless connection
192.168.2.39

I have reloaded and uploaded a new config just to make sure everything is ok.  I have attached a few screenshots as well.

I can hit the webpage via the Internal IP address 192.168.2.100 but not by dns ie www.captrax2.niwater.com

Does the server pc that runs the website need to be on a domain because its only a workgroup at the moment.  I tried joining it to the ip domain name golf-domain but it wouldnt take it.

regards,

Kevin

Correct Answer
Peter Paluch Wed, 01/20/2010 - 13:33

Kevin,

When I clicked on the hyperlink www.captrax2.niwater.com in my browser, it displayed a page saying "Under construction" and the webserver serving this page is MS IIS. If that is your internal webserver then I just connected to it succesfully. Perhaps there are some issues with connecting to the public IP address of your webserver from within your internal network. In your network, if you want to access the webserver you need to use the internal IP address 192.168.2.100. Accessing the public IP address will not work in your case - the public IP address is owned by your router and you would be talking to your router instead of your webserver.

Does the server pc that runs the website need to be on a domain because its only a workgroup at the moment.

I don't think so. The webserver should not be bound to the domain in any particular sense (except perhaps for authentication purposes). But I have only very little experience with Microsoft server products so this is only my personal opinion. In any case, it seems that I am actually talking to your webserver (check its logs if you find that it has been accessed at around 21:32 GMT on January 20th from 158.193.138.40).

I hope we are getting closer to have this solved once and for good

Best regards,

Peter

ohareka70 Wed, 01/20/2010 - 14:24

Peter

You have got this spot on.  I am very happy to see the IIS server web page displayed as i can see the web page from my home broadband so you are correct in saying that it might have been working with your last few pieces of advice but i didnt realise it because i was just trying to hit the page from a wireless connection in the same LAN.  But i can correctly see the webpage from my home broadband.  This is the correct webpage - it was only a test one but it is the correct page.

This has been a good learning curve for me but i really do appreciate the help.  Thanks for putting in some of your time.

regards,

Kevin

Peter Paluch Wed, 01/20/2010 - 15:37

Kevin,

It has been a pleasure to assist you. I believe, though, that the reload was still necessary - that one NAT translation entry was lurking inside the NAT table and possibly wreaking havoc with the translations. At your convenience, consider upgrading your IOS if possible. Your router seems to have 128MB RAM and 32MB FLASH. The latest IOS that still fits within these limits is the c180x-broadband-mz.124-22.T4.bin.

Once again, I am very glad that you got it working.

Best regards,

Peter

Actions

This Discussion