I have been trying to setup a dmz for my webserver for some time and cannot do this. 1800 Series Router.

Unanswered Question
Dec 31st, 2009
User Badges:

Current configuration : 4851 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname WebRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
enable secret 5 $1$3E7C$UAyLato4zmkxSvzNjakSB/
!
no aaa new-model
!
resource policy
!
clock timezone Eastern -5
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool WebRouter
   import all
   network 10.10.10.0 255.255.255.224
   default-router 10.10.10.1
   dns-server 68.87.71.226
   lease 0 2
!
!
no ip domain lookup
!
!
crypto pki trustpoint TP-self-signed-3175805238
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3175805238
revocation-check none
rsakeypair TP-self-signed-3175805238
!
!
crypto pki certificate chain TP-self-signed-3175805238
certificate self-signed 01
  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33313735 38303532 3338301E 170D3039 31313232 30383237
  34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31373538
  30353233 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009B53 EDCA690D C8D4A911 A6A7E35F 933429DB 0FD35005 17AA5ED1 28585D74
  A3942A51 9AAEC9CC 7ED846DA EAF93411 562E92EE FDAB106E A0B3D99C 43450C5D
  CE8FE1A0 29FF74E1 DD7C16F8 38E6CA83 44E7CD18 93526CEF C5AA6BE9 7AAEC86C
  D331EA7C 77A8682C B17F9BE7 2D722B1A 59B3FD63 C5022987 C152EB26 8B806048
  34670203 010001A3 69306730 0F060355 1D130101 FF040530 030101FF 30140603
  551D1104 0D300B82 09576562 526F7574 6572301F 0603551D 23041830 1680141A
  1774FDFB 99809254 BD1995E1 275F263E 7598DE30 1D060355 1D0E0416 04141A17
  74FDFB99 809254BD 1995E127 5F263E75 98DE300D 06092A86 4886F70D 01010405
  00038181 000AFC3A 630F8551 3AB5A8D6 91D169DE DB8B61DC F14C0D19 611151F3
  8BCE3D2B 06D9E0BE 9437F70E 81F555E5 DF98B0D1 9D3841AC 88C00C0D 45C38DD2
  3B50E543 68031AFF CF916952 97A3CC0B 147CBC02 BC8FDB1A 4F75F3CF 73884295
  40AA34D5 FF045644 87C7D3B5 33AECB61 BAA0DBD7 438212FD 68131845 507F6994
  C6C452C1 7C
  quit
username XXXXXXXX privilege 0 secret 5 $1$ln4Y$P4dXy6i2vGV/BaFQbnZwh.
!
!
!
!
!
!
interface FastEthernet0
ip address XXX.XXX.XXX.XXX 255.255.255.252       <------- Public IP            Static ip from my provider
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 172.17.2.1 255.255.255.252            <-------------------- interface that connects into a internal lan router   ip  172.17.2.2
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1                                                <---------- 9 port switch         web server connected 10.10.10.3
ip address 10.10.10.1 255.255.255.224                                                      this 9 port switch is reserved for the DMZ

ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX
ip route 172.17.1.0 255.255.255.0 172.17.2.2
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 10.10.10.5 25 XXX.XXX.XXX.XXX 25 extendable               <----NAT from int fa0 to 10.10.10.5
ip nat inside source static tcp 10.10.10.3 80 XXX.XXX.XXX.XXX 80 extendable               <----Nat from int fa0 to 10.10.10.3
!
access-list 1 permit 172.17.1.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.31
access-list 1 permit 172.17.2.0 0.0.0.3
access-list 101 remark Traffic allowed to enter the router from the internet
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 224.0.0.0 15.255.255.255 any
access-list 101 deny   ip 240.0.0.0 7.255.255.255 any
access-list 101 permit ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^C
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officals.^C
!
line con 0
exec-timeout 30 0
privilege level 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class 23 in
privilege level 0
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 0
login local
transport input telnet ssh
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end


Message was edited by: Gary Lefebvre


Message was edited by: Gary Lefebvre


Message was edited by: Gary Lefebvr


Message was edited by: Gary Lefebvre

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Thu, 12/31/2009 - 14:04
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hello Gary,


Can you provide a bit more info like:

Which interface is your DMZ and which is Internal?

Is your internal network working fine and DMZ not?

Also, where is 172.17.1.0/24 located?

Is there any other device (firewall, router) installed in your network?


Reza

Gary Lefebvre Thu, 12/31/2009 - 15:25
User Badges:

Hello Reza, I have inserted in the initial thread the information you requested. The setup I have is a 2 router and one switch config. the webrouter is out in front and I want to use it for the DMZ. The web router has 3 interfaces. The first is the incoming static ip. the second is the 9 port switch that I am using for the web services. The third interface is connected to my internal Lan router which in turn is connected to a Catalyst switch. I have had schooling in CCNA. I have tried for a few months to find a working config and can't. Thanks for your help.


The internal network is fine. I can surf the web through the whole setup. I place the server outside the whole schema and I can surf my server. When I place the server onto the 9 port switch with a ip of 10.10.10.3 and use the static nat to forward from fa0 to 10.10.10.3 on the switch I am unable to surf the web server from the www.mywebserver.net. I can however set my browser to 10.10.10.3 and my webpage comes up.


Message was edited by: Gary Lefebvre

Gary Lefebvre Sun, 04/18/2010 - 09:54
User Badges:

I have made some headway on creating a DMZ for my Linux webserver. I am using CentOS with Virtualmin to host my 3 websites. I managed to place my webserver in the DMZ with a private address using NAT to froward the packets to the webserver. Everything is working perfectly with the above mentioned Cisco setup. The confusing thing now is if I try to call one of my websites in a browser from "my internal network", a message appears in the browser that "The connection to the server was reset while the page was loading.". But if I go to a friends house and use their computer to call one of my websites the webpages come up in the browser.

Reza Sharifi Sun, 04/18/2010 - 10:32
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi Gary,



Do you use the same browser type and version at your friend's house and at your house?


Reza

Federico Coto F... Sun, 04/18/2010 - 12:32
User Badges:
  • Green, 3000 points or more

Gary,


The fact that you can bring up the web page from another location means the configuration on the router is fine.

The only possible configuration causing the behavior that you cannot access the page from other location is an ACL (which is not the case here).


So, I will say that you need to check either your browser or client settings.


Federico.

Reza Sharifi Sun, 04/18/2010 - 12:50
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Try using IE at home too and see what happens.


Reza

Gary Lefebvre Sun, 04/18/2010 - 15:20
User Badges:

Where do I begin? I am running on my Desktop Windows 7. IE8 comes standard with this OS. IE8 won't run for me. I've loaded a fresh install of Windows 7 when the OS came out. So I can't use IE8, so I downloaded Google Chrome and again the server error is the same as above mentioned. Also I am running Dreamweaver and since I brought the server in a DMZ I cannot FTP to the server. I have another router on the internal network, behind the DMZ which my Desktop PC is connected to and I have no existing ACL's that will stop my PC from connecting to my Server. Oh well I guess I'm leaning towards reloading Windows 7.

Gary Lefebvre Mon, 04/19/2010 - 11:26
User Badges:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname LanRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
enable secret 5 something
!
no aaa new-model
!
resource policy
!
clock timezone Eastern -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.17.1.1 172.17.1.10
!
ip dhcp pool MyCiscoSwitch
   import all
   network 172.17.1.0 255.255.255.0
   default-router 172.17.1.1
   dns-server 68.87.71.226
   lease 0 2
!
!
no ip domain lookup
!
username GarysHome privilege 0 secret 5 something
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
ip address 172.17.2.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.17.1.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.2.1
!
no ip http server
!
access-list 23 permit 172.17.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.31
access-list 101 permit udp host 68.87.71.226 172.17.1.0 0.0.0.255
access-list 101 permit tcp any 172.17.1.0 0.0.0.255 established
access-list 101 permit udp any any eq tftp
access-list 101 permit udp any any eq ntp
access-list 101 permit udp host 172.17.2.1 172.17.1.0 0.0.0.255
access-list 101 permit udp host 10.10.10.3 172.17.1.0 0.0.0.31
!
control-plane
!
banner login ^C
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officals.^C
!
line con 0
exec-timeout 30 0
privilege level 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 0
login local
transport input none
line vty 5 15
access-class 23 in
privilege level 0
login local
transport input none
!
ntp clock-period 17178133
ntp server 172.17.2.1 prefer
end




Above is the internal Lan router setup. I have a switch attached to ip 172.17.1.1 int fa0/1. My problem lies somewhere in here, I think? Can anyone help? Thanks

Gary Lefebvre Wed, 05/26/2010 - 14:41
User Badges:

I use tracert to get an idea of where the packets are going output below...


Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


C:\Users\Gary>tracert www.mysite.org


Tracing route to www.mysite.org [xxx.xxx.xxx.xxx]
over a maximum of 30 hops:


  1    <1 ms    <1 ms    <1 ms  172.17.1.1
  2     1 ms    <1 ms     1 ms  xxx-xxx-xxx-xxx-NewEngland.hfc.comcastbusiness.net
[xxx.xxx.xxx.xxx]


Trace complete.


C:\Users\Gary>tracert www.myothersite.net


Tracing route to www.myothersite.net [xxx.xxx.xxx.xxx]
over a maximum of 30 hops:


  1    <1 ms    <1 ms    <1 ms  172.17.1.1
  2     1 ms    <1 ms    <1 ms  xxx-xxx-xxx-xxx-NewEngland.hfc.comcastbusiness.net
[xxx.xxx.xxx.xxx]


Trace complete.


C:\Users\Gary>tracert 10.10.10.3


Tracing route to 10.10.10.3 over a maximum of 30 hops


  1    <1 ms    <1 ms    <1 ms  172.17.1.1
  2     1 ms    <1 ms    <1 ms  172.17.2.1
  3     1 ms     1 ms     1 ms  10.10.10.3


Trace complete.


C:\Users\Gary>

Actions

This Discussion