Solved: wireless lan controller module accessible from the web via external ip

nisiotisr · ‎03-06-2015

Hi!

I have a cisco 2800 series router with a wireless lan controller module installed. Everything is working ok but i want to have access to the wlcm's web interfacwe from outside the local network.

I have the following config on my router:

!
class-map match-any ipp
description IP Premium traffic is VoIP or RTS traffic
class-map match-all rts
description Match traffic destined to Sch RTS server IP
match access-group name sch_rts
!
policy-map schqos_out
class ipp
priority 224
class class-default
policy-map schqos_in
class rts
class class-default
!
interface Loopback0
description Router-id
ip address <internet address real> 255.255.255.255
!
interface GigabitEthernet0/0
description AccessPoint Interface
ip address 192.168.6.254 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description SchoolLAN Interface
ip address 10.102.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/3/0.1 point-to-point
description WAN
ip flow ingress
pvc 8/35
description School aDSL
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface wlan-controller1/0
ip address 192.168.7.254 255.255.255.0
ip nat inside
ip virtual-reassembly
// the manager interface for the controller is 192.168.7.245

!
interface Dialer0
description Connection over aDSL
ip unnumbered Loopback0
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
fair-queue
no cdp enable
ppp authentication chap callin
ppp chap hostname <hostname>
ppp chap password <password>
ppp pap refuse
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat pool reg_ips <nat address1> <nat address2> netmask 255.255.255.248
ip nat inside source list 101 pool reg_ips overload
ip nat inside source list 102 interface Dialer0 overload
ip nat inside source list 107 interface Dialer0 overload
ip nat inside source static tcp 192.168.7.245 80 interface Dialer0 80
// the above line is not working

!
ip access-list extended sch_rts
permit ip any host xxx.xxx.xxx.xxx
!
access-list 101 deny ip 10.102.0.0 0.0.0.15 any
access-list 101 deny ip 10.102.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.102.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.7.0 0.0.0.255 any
access-list 102 permit ip 10.102.0.0 0.0.0.255 any
access-list 102 deny ip any 10.0.0.0 0.255.255.255
access-list 102 permit ip any any
access-list 107 permit ip 192.168.7.0 0.0.0.255 any
access-list 110 permit ip any xxx.xxx.xxx.0 0.0.3.255
access-list 110 deny tcp any any eq smtp
access-list 110 deny tcp any any eq 135
access-list 110 deny udp any any eq 135
access-list 110 deny tcp any any range 137 139
access-list 110 deny udp any any range netbios-ns netbios-ss
access-list 110 deny tcp any any eq 445
access-list 110 deny udp any any eq 445
access-list 110 permit ip any any
dialer-list 1 protocol ip permit
!
route-map natmap permit 10
match ip address 102
!

it looks like i am making a mistake somewhere...

any help?

Jon Marshall · ‎03-07-2015

I think it may be because the actual IP is not on the Dialer interface.

Have you tried -

"ip nat inside source static tcp 192.168.7.245 80 <IP on loopback> 80"

Jon

View solution in original post

amikat · ‎03-07-2015

Hi,

Can you please post the "show network" controller command output.

Thanks & Regards,

Antonin

nisiotisr · ‎03-07-2015

Thanks. Here is the output:

(wlc-gym) >show network summary

RF-Network Name............................. wlan-22-group
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Mode..................... Disable
Ethernet Broadcast Mode..................... Disable
AP Multicast Mode........................... Multicast Address : 0.0.0.0
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Over The Air Provisioning of AP's........... Disable
AP Fallback ................................ Enable
--More-- or (q)uit
Web Auth Redirect Ports .................... 80
Fast SSID Change ........................... Disabled
802.3 Bridging ............................. Disable

is there anything to do with multicast?

by the way setting nat to one to one ip address, access is possible.

i.e.

ip nat inside source static 192.168.7.245 <ext ip> route-map natmap

Jon Marshall · ‎03-07-2015

I think it may be because the actual IP is not on the Dialer interface.

Have you tried -

"ip nat inside source static tcp 192.168.7.245 80 <IP on loopback> 80"

Jon

nisiotisr · ‎03-07-2015

it worked!

ip nat inside source static tcp 192.168.7.245 80 int loopback0 80

Thanks!

Jon Marshall · ‎03-07-2015

No problem.

I was actually talking about using the actual IP on the loopback interface but it seems just referencing the actual interface works as well.

Glad you got it working.

Jon