How to configure IOS firewall to open webserver.

Answered Question
Aug 19th, 2010

Hi everyone,

I would like to configure a router,

1. My ISP provides a global IP address with PPPoE. ex) 200.200.200.2 .

2. The router used in this scenario is 2611XM with IOS 12.4T(AES) which has two FastEthernet interfaces, Fa0/0 and Fa0/1.

3. I would like to open a HttpServer to public internet.

4. Some clients access to public internet by PAT.

like a following figure.

dnz.jpg

Could you tell me the basic story or the documentation's url to configure this scinario?

Regards,

Tomoyuki

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 3 months ago

Hello,

Please check the configuration below. I am assuming you are using

sub-interfaces to configure DMZ and inside:

int fa 0/0.1

description inside

ip address

        • Dynamic NAT for inside clients*************

ip nat source list 1 interface fastethernet 0/1 overload

        • Static NAT for webserver ******************

ip nat source static tcp 198.132.219.1 80 interface fastethernet 0/1 80

access-list 199 permit tcp any

interface fa 0/1

ip access-group 199 in

exit

I noticed that the webserver IP in the DMZ is public IP. If you own that

public IP, then you do not need the static translation. You can change the

access-list entry accordingly.

Hope this helps.

Regards,

NT

Correct Answer by KARUPPUCHAMY MA... about 6 years 3 months ago

Hi,

Not a big deal to configure cisco IOS firewall.

Just go through the below URL and hope it will help you to configure your router.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_configuration_examples_list.html#anchor2

Thanks

Samy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Thu, 08/19/2010 - 06:29

Hello,

Please check the configuration below. I am assuming you are using

sub-interfaces to configure DMZ and inside:

int fa 0/0.1

description inside

ip address

        • Dynamic NAT for inside clients*************

ip nat source list 1 interface fastethernet 0/1 overload

        • Static NAT for webserver ******************

ip nat source static tcp 198.132.219.1 80 interface fastethernet 0/1 80

access-list 199 permit tcp any

interface fa 0/1

ip access-group 199 in

exit

I noticed that the webserver IP in the DMZ is public IP. If you own that

public IP, then you do not need the static translation. You can change the

access-list entry accordingly.

Hope this helps.

Regards,

NT

cisco_fun_4899 Wed, 08/25/2010 - 01:38

Hi,

Thank you for your good help!

I got it. I'll try it soon.

> I noticed that the webserver IP in the DMZ is public IP. If you own that public IP ...

Sorry, I couldn't find a proper figure to indicate my scenario exactly.

As you are aware, I have only one public IP.

Regards,

Tomoyuki

Actions

This Discussion