forwading port 8008 to an webserver

Unanswered Question
Jun 21st, 2010
User Badges:

Hello there,



we use some cisco 2811 router and I have forward some websites witch will be use via port 8008 but it dos not work.


I try it with:


ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008


can someone tell me what is wrong? and maybe can someone tell me how can I debug the traffic with should pass port 8008?




Thank you for your help!


Michael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 06/21/2010 - 03:30
User Badges:
  • Cisco Employee,

I assume that fa0/1 is the external interface (pls make sure that you configured "ip nat outside"), and the interface of 192.168.1.x subnet has "ip nat inside" configured. Also, do you have access-list configured on the external interface? if you do, you would need to allow traffic to fa0/1 interface on port 8008.


Please share the config if the above has been checked.

it-interschalt Tue, 08/31/2010 - 23:39
User Badges:

Hello halijenn,


thank you for your anwser - and sorry for delay!


at the moment the port 8008 is doing fine but only if I try to reach the server via port 8008 from the internet. If I try to reach them from a ather site office it doese not work.


the access-list allows all trafic from the site office (connected via VPN), and I can ping the server and I can also connect them via share.


can it be that the ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008 is only for connection from the internet?


If yes! - what can I do that we can connect the server from our site office?


Best wishes


Michael

Jennifer Halim Tue, 08/31/2010 - 23:55
User Badges:
  • Cisco Employee,

Yes, you are right. Those are for the internet because on VPN you normally do not specify the public subnet/ip address in the crypto ACL.

You would need to add crypto ACL for your VPN tunnel between the  FastEthernet0/1 interface IP towards  remote LAN and vice versa.

it-interschalt Wed, 09/01/2010 - 00:08
User Badges:

ok?


how can I add a crypto ACL - sorry for this question but I'm not so firm in configuring spezial thinks at the cisco router.


Do you have an short how to for me?


best wishes


Michael

Jennifer Halim Wed, 09/01/2010 - 18:45
User Badges:
  • Cisco Employee,

Can you post the specific vpn configuration and the corresponding crypto ACL?

it-interschalt Mon, 09/06/2010 - 22:52
User Badges:

hello halijenn,


I hope I have the right thing's you like to know.


---

crypto map SDM_CMAP_1 4 ipsec-isakmp
set peer public IP
set transform-set ESP-AES-256-SHA
match address 170

access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.2.0 0.0.255.255
access-list 170 permit ip 192.168.1.0 0.0.255.255 192.168.2.0 0.0.255.255
access-list 170 permit ip 192.168.1.0 0.0.255.255 192.168.17.0 0.0.0.255

---


If you need any more - please let me know that.


Best wishes

Michael

Jennifer Halim Tue, 09/07/2010 - 04:49
User Badges:
  • Cisco Employee,

Here is what you would need to add:

access-list 170 permit ip host 192.168.2.0 0.0.255.255
access-list 170 permit ip host 192.168.17.0 0.0.0.255


You would also need to configure mirror image ACL on the other side of the VPN tunnel device.

it-interschalt Tue, 09/07/2010 - 05:28
User Badges:

I have added the lines at the router


---

access-list 170 permit ip host 192.168.2.0 0.0.255.255
access-list 170 permit ip host 192.168.17.0 0.0.0.255

---



at the remote site witch configuration do I need?

info the access-list also 170!

1.?

--

access-list 170 permit ip host 192.168.2.0 0.0.255.255
access-list 170 permit ip host 192.168.17.0 0.0.0.255

--



or 2.?


--

access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.2.0 0.0.255.255
access-list 170 permit ip host <fa0/1 interface ip address  from the main router> 192.168.17.0 0.0.0.255

--


or 3.?

--

access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.1.0 0.0.255.255 - IPs from the main site?
access-list 170 permit ip host <fa0/1 interface ip address  from the main router> 192.168.16.0 0.0.0.255 - IPs from the main site?
--


or 4.?

--

access-list 170 permit ip host 192.168.1.0 0.0.255.255 - IPs from the main site?
access-list 170 permit ip host 192.168.16.0 0.0.0.255 - IPs from the main site?
--

Jennifer Halim Tue, 09/07/2010 - 05:37
User Badges:
  • Cisco Employee,

On the remote site, you would need to configure mirror image ACL as follows:


access-list 170 permit ip 192.168.2.0 0.0.255.255 host
access-list 170 permit ip
192.168.17.0 0.0.0.255 host


You would need to also clear the IPSEC SA on both ends after the configuration (clear cry sa).

it-interschalt Tue, 09/07/2010 - 05:52
User Badges:

so here are the actual access lists fron the running config



Site 1 (main were the porp 8008 should be reachable)
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip host 192.168.16.1 192.168.17.0 0.0.0.255
access-list 170 permit ip host 192.168.16.1 192.168.2.0 0.0.0.255


Site 2 (remote were I try to connect form via port 8008)
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 host 192.168.16.1
access-list 170 permit ip 192.168.2.0 0.0.0.255 host 192.168.16.1


and this is not working!


what did I do wrong?

Jennifer Halim Tue, 09/07/2010 - 06:19
User Badges:
  • Cisco Employee,

I assume that fa0/1 should be a public IP Address, right? since you have configured port forwarding for that via the NAT statement:

ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008


Can you share the output of:

show run int fa0/1


Is this webserver accessible from the Internet?

I assume that you would like access to the webserver from both the Internet as well as the VPN, right?

it-interschalt Tue, 09/07/2010 - 23:34
User Badges:

Yes you are right!


the fa0/1 is public - sorry I din't read correctly

and I like to connect the webserver from both sites (Internet andVPN)


Now I correct the mistake but it din't work again.


I can ping the webserver . I can reach a website (port 80) but I can't reach the website witch scould be reachable via Port 8008

Jennifer Halim Tue, 09/07/2010 - 23:38
User Badges:
  • Cisco Employee,

Is it working from the internet and failing from the VPN? or it's not working from both VPN and Internet?


If it's not working from the VPN, can you please make sure that you have exactly the mirror image ACL on both sides, and have also clear the crypto tunnels (clear crypto sa).

it-interschalt Tue, 09/07/2010 - 23:47
User Badges:

it is working from the internet - and do not work from the vpn site


my actual config are


Site 1 (main were the porp 8008 should be reachable)
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip host public IP from this router 192.168.17.0 0.0.0.255
access-list 170 permit ip host public IP from this router 192.168.2.0 0.0.0.255


Site 2 (remote were I try to connect form via port 8008)
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 host public IP from the router Site 1
access-list 170 permit ip 192.168.2.0 0.0.0.255 host public IP from the router Site 1,


and now I send the command clear crypto sa at both router


and the website is corrently still not reachable

Jennifer Halim Tue, 09/07/2010 - 23:58
User Badges:
  • Cisco Employee,

Can you share the output of "show cry ipsec sa" from both routers.

Jennifer Halim Tue, 09/07/2010 - 23:59
User Badges:
  • Cisco Employee,

and also, you might want to check the NAT exemption on the remote router.

Can you share the NAT statement, and the corresponding ACL on the remote router?

Actions

This Discussion