06-21-2010 01:45 AM - edited 03-11-2019 11:01 AM
Hello there,
we use some cisco 2811 router and I have forward some websites witch will be use via port 8008 but it dos not work.
I try it with:
ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008
can someone tell me what is wrong? and maybe can someone tell me how can I debug the traffic with should pass port 8008?
Thank you for your help!
Michael
06-21-2010 03:30 AM
I assume that fa0/1 is the external interface (pls make sure that you configured "ip nat outside"), and the interface of 192.168.1.x subnet has "ip nat inside" configured. Also, do you have access-list configured on the external interface? if you do, you would need to allow traffic to fa0/1 interface on port 8008.
Please share the config if the above has been checked.
08-31-2010 11:39 PM
Hello halijenn,
thank you for your anwser - and sorry for delay!
at the moment the port 8008 is doing fine but only if I try to reach the server via port 8008 from the internet. If I try to reach them from a ather site office it doese not work.
the access-list allows all trafic from the site office (connected via VPN), and I can ping the server and I can also connect them via share.
can it be that the ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008 is only for connection from the internet?
If yes! - what can I do that we can connect the server from our site office?
Best wishes
Michael
08-31-2010 11:55 PM
Yes, you are right. Those are for the internet because on VPN you normally do not specify the public subnet/ip address in the crypto ACL.
You would need to add crypto ACL for your VPN tunnel between the FastEthernet0/1 interface IP towards remote LAN and vice versa.
09-01-2010 12:08 AM
ok?
how can I add a crypto ACL - sorry for this question but I'm not so firm in configuring spezial thinks at the cisco router.
Do you have an short how to for me?
best wishes
Michael
09-01-2010 06:45 PM
Can you post the specific vpn configuration and the corresponding crypto ACL?
09-06-2010 10:52 PM
hello halijenn,
I hope I have the right thing's you like to know.
---
crypto map SDM_CMAP_1 4 ipsec-isakmp
set peer public IP
set transform-set ESP-AES-256-SHA
match address 170
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.2.0 0.0.255.255
access-list 170 permit ip 192.168.1.0 0.0.255.255 192.168.2.0 0.0.255.255
access-list 170 permit ip 192.168.1.0 0.0.255.255 192.168.17.0 0.0.0.255
---
If you need any more - please let me know that.
Best wishes
Michael
09-07-2010 04:49 AM
Here is what you would need to add:
access-list 170 permit ip host
access-list 170 permit ip host
You would also need to configure mirror image ACL on the other side of the VPN tunnel device.
09-07-2010 05:28 AM
I have added the lines at the router
---
access-list 170 permit ip host
access-list 170 permit ip host
---
at the remote site witch configuration do I need?
info the access-list also 170!
1.?
--
access-list 170 permit ip host
access-list 170 permit ip host
--
or 2.?
--
access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.2.0 0.0.255.255
access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.17.0 0.0.0.255
--
or 3.?
--
access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.1.0 0.0.255.255 - IPs from the main site?
access-list 170 permit ip host <fa0/1 interface ip address from the main router> 192.168.16.0 0.0.0.255 - IPs from the main site?
--
or 4.?
--
access-list 170 permit ip host
access-list 170 permit ip host
--
09-07-2010 05:37 AM
On the remote site, you would need to configure mirror image ACL as follows:
access-list 170 permit ip 192.168.2.0 0.0.255.255 host
access-list 170 permit ip
You would need to also clear the IPSEC SA on both ends after the configuration (clear cry sa).
09-07-2010 05:52 AM
so here are the actual access lists fron the running config
Site 1 (main were the porp 8008 should be reachable)
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip host 192.168.16.1 192.168.17.0 0.0.0.255
access-list 170 permit ip host 192.168.16.1 192.168.2.0 0.0.0.255
Site 2 (remote were I try to connect form via port 8008)
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 host 192.168.16.1
access-list 170 permit ip 192.168.2.0 0.0.0.255 host 192.168.16.1
and this is not working!
what did I do wrong?
09-07-2010 06:19 AM
I assume that fa0/1 should be a public IP Address, right? since you have configured port forwarding for that via the NAT statement:
ip nat inside source static tcp 192.168.1.24 8008 interface FastEthernet0/1 8008
Can you share the output of:
show run int fa0/1
Is this webserver accessible from the Internet?
I assume that you would like access to the webserver from both the Internet as well as the VPN, right?
09-07-2010 11:34 PM
Yes you are right!
the fa0/1 is public - sorry I din't read correctly
and I like to connect the webserver from both sites (Internet andVPN)
Now I correct the mistake but it din't work again.
I can ping the webserver . I can reach a website (port 80) but I can't reach the website witch scould be reachable via Port 8008
09-07-2010 11:38 PM
Is it working from the internet and failing from the VPN? or it's not working from both VPN and Internet?
If it's not working from the VPN, can you please make sure that you have exactly the mirror image ACL on both sides, and have also clear the crypto tunnels (clear crypto sa).
09-07-2010 11:47 PM
it is working from the internet - and do not work from the vpn site
my actual config are
Site 1 (main were the porp 8008 should be reachable)
access-list 170 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 170 permit ip host public IP from this router 192.168.17.0 0.0.0.255
access-list 170 permit ip host public IP from this router 192.168.2.0 0.0.0.255
Site 2 (remote were I try to connect form via port 8008)
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 170 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.17.0 0.0.0.255 host public IP from the router Site 1
access-list 170 permit ip 192.168.2.0 0.0.0.255 host public IP from the router Site 1,
and now I send the command clear crypto sa at both router
and the website is corrently still not reachable
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: