cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1915
Views
0
Helpful
16
Replies

forwading port 8008 to an webserver

it-interschalt
Level 1
Level 1

Hello there,

we use some cisco 2811 router and I have forward some websites witch will be use via port 8008 but it dos not work.

I try it with:

ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008

can someone tell me what is wrong? and maybe can someone tell me how can I debug the traffic with should pass port 8008?

Thank you for your help!

Michael

16 Replies 16

Jennifer Halim
Cisco Employee
Cisco Employee

I assume that fa0/1 is the external interface (pls make sure that you configured "ip nat outside"), and the interface of 192.168.1.x subnet has "ip nat inside" configured. Also, do you have access-list configured on the external interface? if you do, you would need to allow traffic to fa0/1 interface on port 8008.

Please share the config if the above has been checked.

Hello halijenn,

thank you for your anwser - and sorry for delay!

at the moment the port 8008 is doing fine but only if I try to reach the server via port 8008 from the internet. If I try to reach them from a ather site office it doese not work.

the access-list allows all trafic from the site office (connected via VPN), and I can ping the server and I can also connect them via share.

can it be that the ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008 is only for connection from the internet?

If yes! - what can I do that we can connect the server from our site office?

Best wishes

Michael

Yes, you are right. Those are for the internet because on VPN you normally do not specify the public subnet/ip address in the crypto ACL.

You would need to add crypto ACL for your VPN tunnel between the  FastEthernet0/1 interface IP towards  remote LAN and vice versa.

ok?

how can I add a crypto ACL - sorry for this question but I'm not so firm in configuring spezial thinks at the cisco router.

Do you have an short how to for me?

best wishes

Michael

Can you post the specific vpn configuration and the corresponding crypto ACL?

hello halijenn,

I hope I have the right thing's you like to know.

---

crypto map SDM_CMAP_1 4 ipsec-isakmp
set peer public IP
set transform-set ESP-AES-256-SHA
match address 170

access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.2.0 0.0.255.255
access-list 170 permit ip 192.168.1.0 0.0.255.255 192.168.2.0 0.0.255.255
access-list 170 permit ip 192.168.1.0 0.0.255.255 192.168.17.0 0.0.0.255

---

If you need any more - please let me know that.

Best wishes

Michael

Here is what you would need to add:

access-list 170 permit ip host 192.168.2.0 0.0.255.255
access-list 170 permit ip host 192.168.17.0 0.0.0.255

You would also need to configure mirror image ACL on the other side of the VPN tunnel device.

I have added the lines at the router

---

access-list 170 permit ip host 192.168.2.0 0.0.255.255
access-list 170 permit ip host 192.168.17.0 0.0.0.255

---

at the remote site witch configuration do I need?

info the access-list also 170!

1.?

--

access-list 170 permit ip host 192.168.2.0 0.0.255.255
access-list 170 permit ip host 192.168.17.0 0.0.0.255

--

or 2.?

--

access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.2.0 0.0.255.255
access-list 170 permit ip host <fa0/1 interface ip address  from the main router> 192.168.17.0 0.0.0.255

--

or 3.?

--

access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.1.0 0.0.255.255 - IPs from the main site?
access-list 170 permit ip host <fa0/1 interface ip address  from the main router> 192.168.16.0 0.0.0.255 - IPs from the main site?
--

or 4.?

--

access-list 170 permit ip host 192.168.1.0 0.0.255.255 - IPs from the main site?
access-list 170 permit ip host 192.168.16.0 0.0.0.255 - IPs from the main site?
--

On the remote site, you would need to configure mirror image ACL as follows:

access-list 170 permit ip 192.168.2.0 0.0.255.255 host
access-list 170 permit ip
192.168.17.0 0.0.0.255 host

You would need to also clear the IPSEC SA on both ends after the configuration (clear cry sa).

so here are the actual access lists fron the running config


Site 1 (main were the porp 8008 should be reachable)
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip host 192.168.16.1 192.168.17.0 0.0.0.255
access-list 170 permit ip host 192.168.16.1 192.168.2.0 0.0.0.255


Site 2 (remote were I try to connect form via port 8008)
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 host 192.168.16.1
access-list 170 permit ip 192.168.2.0 0.0.0.255 host 192.168.16.1

and this is not working!

what did I do wrong?

I assume that fa0/1 should be a public IP Address, right? since you have configured port forwarding for that via the NAT statement:

ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008

Can you share the output of:

show run int fa0/1

Is this webserver accessible from the Internet?

I assume that you would like access to the webserver from both the Internet as well as the VPN, right?

Yes you are right!

the fa0/1 is public - sorry I din't read correctly

and I like to connect the webserver from both sites (Internet andVPN)

Now I correct the mistake but it din't work again.

I can ping the webserver . I can reach a website (port 80) but I can't reach the website witch scould be reachable via Port 8008

Is it working from the internet and failing from the VPN? or it's not working from both VPN and Internet?

If it's not working from the VPN, can you please make sure that you have exactly the mirror image ACL on both sides, and have also clear the crypto tunnels (clear crypto sa).

it is working from the internet - and do not work from the vpn site

my actual config are

Site 1 (main were the porp 8008 should be reachable)
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip host public IP from this router 192.168.17.0 0.0.0.255
access-list 170 permit ip host public IP from this router 192.168.2.0 0.0.0.255


Site 2 (remote were I try to connect form via port 8008)
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 host public IP from the router Site 1
access-list 170 permit ip 192.168.2.0 0.0.0.255 host public IP from the router Site 1,

and now I send the command clear crypto sa at both router

and the website is corrently still not reachable

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: