cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11898
Views
0
Helpful
11
Replies

Port forwarding for the Web server for outside Internet users on Cisco 1900 Series router

lili Vachon
Level 1
Level 1

Hello Admins,

I am trying to learn something new here. We have web server inside our organization its IP address is 192.168.0.100. We want outside Internet users to access web server, How is it possible? Please have a look at the running configuration. Web server is working inside the organization but not at outside. Our Static Public IP is 85.192.55.122 it is assigned to Inetrface Gigabit Ethernet 0/0 and ISP default GW is 85.192.55.121. Let me know whats next? How do I make web server inside the organization available for outside Internet users. Thank you.

Building configuration...

Current configuration : 5531 bytes

!

! Last configuration change at 18:27:47 UTC Tue Jul 30 2013 by cisco

! NVRAM config last updated at 18:27:48 UTC Tue Jul 30 2013 by cisco

! NVRAM config last updated at 18:27:48 UTC Tue Jul 30 2013 by cisco

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XYZ

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.51 192.168.0.70

!

ip dhcp pool data

network 192.168.0.0 255.255.255.0

default-router 192.168.0.50

dns-server 86.51.34.17 86.51.35.18

lease 7

!

!

no ip domain lookup

ip domain name xyz.com

ip name-server 86.51.34.17

ip name-server 86.51.35.18

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-365255817

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-365255817

revocation-check none

rsakeypair TP-self-signed-365255817

!

!

crypto pki certificate chain TP-self-signed-365255817

certificate self-signed 01

  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33363532 35353831 37301E17 0D313330 31313031 39313634

  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 35323535

  38313730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  C4E1FC5A CE882EEA C9EDC873 AD4A6A9A 8737E917 0C52DC89 90CEE320 01DC3BB9

  DDEA1929 CBAB5891 1E81C436 FF326C41 C929A394 33CDD3E9 3A100ED2 4FA9D79B

  69C80E64 913D255F 62993510 1EE86716 26948A58 942BE51C B1573FB7 8FAEA893

  1D82877B 1D653C6F 7810C1F7 35E52D05 CAD08F01 3381BE45 1E9342B9 C3F06ADB

  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

  23041830 16801473 A4466562 EAE1BF11 E9FB8794 E6E8141C 7608F730 1D060355

  1D0E0416 041473A4 466562EA E1BF11E9 FB8794E6 E8141C76 08F7300D 06092A86

  4886F70D 01010505 00038181 000F09D1 C6E5D640 E8D06B4F 38BC7A66 F7634D84

  36D3DBE2 31E6EC36 153FD72D 4EA8E465 77D92927 6525CEF6 02D39203 F6779D94

  950957D4 4240D012 311EAE5F 6486FE82 9F429477 0BA257B1 4A6507D4 ECF03DAF

  702E4B22 118CFA3D 2766EDB7 2FA46916 F83C4986 9D1474FE D1C2442B 0CF0581F

  A33125A4 CC77FAC0 15CC3A93 30

        quit

license udi pid CISCO1921/K9 sn FCZ1702C1TW

!

!

username cisco privilege 15 secret 4 tnhtc92DXBhelxjYk8LXrpb4RFmfqY

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description LOCAL-LAN

ip address 85.192.55.122 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

!

interface GigabitEthernet0/1

ip address 192.168.0.50 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 10 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 85.192.55.121

!

access-list 10 permit 192.168.0.0 0.0.0.255

!

!

!

control-plane

!

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Note: - Public IP and password is edited.

11 Replies 11

Peter Paluch
Cisco Employee
Cisco Employee

Hi,

This should be fairly easy to accomplish by adding a single command into your configuration:

ip nat inside source static tcp 192.168.0.100 80 85.192.55.122 80

Would you mind testing this?

Best regards,

Peter

Hello Peter,

We don't have to create DMZ right? On what else port can we test web server. Also if possible let me know is there a way to know weather web server is active or not from outside. Thank you.

Hello Peter,

I cannot access to web server from outside. Could you please check the running configuration. The web server can be accessed inside users but not Outside users. I tried the command

ip nat inside source static tcp 192.168.0.100 80 85.192.55.122 80

Is there any thing that has to be done with access list. let me know. Thank you.

Also have a look at here

XYZ#telnet 192.168.0.100 80 /source-interface gigabitEthernet 0/0

Trying 192.168.0.100, 80 ...

% Connection timed out; remote host not responding

XYZ#telnet 192.168.0.100 80 /source-interface gigabitEthernet 0/1

Trying 192.168.0.100, 80 ...

% Connection refused by remote host

hi,

i've read your other post at https://supportforums.cisco.com/message/4006693#4006693.

it looks like you should contact your external DNS provider, Domain Control/Special Domain Services, instead of GoDaddy, which is only your Registrant.

http://whois.domaintools.com/jkkcc.com

Domain Name: JKKCC.COM

Registrar URL: http://www.godaddy.com    <<<

Registrant Name: Jonathan Wood

Registrant Organization:

Name Server: NS39.DOMAINCONTROL.COM    <<<<

Name Server: NS40.DOMAINCONTROL.COM

ask the DNS provider what's their procedure to add the zone file records. this is usually done over their control panel/portal.

Hello John,

Sorry thats not my post. I was just searching for help. In my scenario what would be problem. Please have a look at my running conf at above,

oh, sorry didn't notice that.

aside from peter's advice, i would say you'll still need to check your DNS server/setup whether your performing internal or external hosting.

Peter Paluch
Cisco Employee
Cisco Employee

Hi lili,

The command you have entered seems to be correct and you should not need to modify the ACL in order for this static PAT to work. What surprises me is that you do not seem to be able to telnet into the web server from your own router - it says "connection refused". Why would that be? Is the HTTP server running on that machine? Is it possible you're using HTTPS instead of HTTP? HTTPS runs on TCP port 443.

In addition, I am unable to ping the public IP address 85.192.55.122 at the time of writing this response. I have also tried nmap-ing it to see any open ports but no response was received. Is it possible that your ISP needs to be requested to allow incoming TCP connections onto your public IP address? It wouldn't be surprising.

Best regards,

Peter

Hello Peter,

Inside the network everything is fine? Outside the network nothing is fine. Let me know what are the questions I need to ask my ISP or Web server Support Engineer. Thank you.

Hi lili,

Ask your ISP whether it allows incoming TCP connections to ports 80 and 443 onto your public IP address. Explain that you intend to do port forwarding on this public IP address towards your internal webserver and that you are not sure if the ISP allows incoming TCP connections.

Oh, by the way, if your are not using web configuration or SDM to configure your router, I suggest deactivating the HTTP server running on your router:

no ip http server

I am not sure that if all is well in your network, though, how is it possible you were not able to telnet into your webserver from the router. Once again, was this meant to be HTTPS instead of HTTP?

Best regards,

Peter

Hello Peter,

Yes you are right I am sure that this configuration is perfect and yes it is a web server working on port 80. May be the web server guy has not configured web server properly. What I will do is I will create IIS on my laptop and will create some test document in html format and will configure in IIS and will register the domain on "NO IP . net" Just for a testing. Then I will test it. Everything is correct and static nat command should od the job. Let me test. Thank you.

Hi,

Everthing is alrite remember these points.

Your Server Gatewy must be Router inside interface IP

The Public IP Pool which you are using that must be routed towards your Outise Interface IP by your ISP.

Verify these things....

***Do Rate All Helpful Posts***

Jawad

Jawad
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: