Re: Inside web Server on 2811

kirilkoltchakov · ‎10-04-2006

Hello,

I configured this router to use NAT overloaded to get access for any computer on the LAN to Internet.

I configured (I thnik) a static routes to get in the LAN WebServer from outside, but there is no effect, I can't reach the server. Could help please:

********* cut **********

show config

Using 1842 out of 245752 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

resource policy

!

clock timezone Paris 1

clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00

!

ip cef

!

no ip domain lookup

ip name-server 194.x.x.100

ip name-server 194.x.x.101

!

crypto pki trustpoint TP-self-signed-1487781583

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1487781583

revocation-check none

rsakeypair TP-self-signed-1487781583

!

crypto pki certificate chain TP-self-signed-1487781583

certificate self-signed 01 nvram:IOS-Self-Sig#3301.cer

username MyUser privilege 15 password 0 MyPassword

!

interface FastEthernet0/0

description LAN Plainsa Cuenca$ETH-LAN$

ip address 192.168.0.2 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.2 point-to-point

ip address "My Public IP" 255.255.255.192

ip nat outside

no snmp trap link-status

pvc 8/32

encapsulation aal5snap

!

ip route 0.0.0.0 0.0.0.0 ATM0/0/0.2

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list 1 interface ATM0/0/0.2 overload

ip nat inside source static tcp 192.168.0.3 21 interface ATM0/0/0.2 21

ip nat inside source static tcp 192.168.0.19 80 interface ATM0/0/0.2 81

ip nat inside source static tcp 192.168.0.3 3389 interface ATM0/0/0.2 3389

!

access-list 1 permit 192.168.0.0 0.0.0.255

!

control-plane

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

******** end cut *******

this is the debug info of "debug ip nat detailed" (the address 217.x.x.217 is not the real address, I change it in this letter only):

*Oct 4 17:29:20.631: NAT*: o: tcp (83.34.16.82, 12200) -> (217.217.217.217, 81) [53017]

*Oct 4 17:29:20.631: NAT*: TCP s=12200, d=81->80

*Oct 4 17:29:20.631: NAT*: s=83.34.16.82, d=217.217.217.217->192.168.0.19 [53017]

*Oct 4 17:29:23.599: NAT*: o: tcp (83.34.16.82, 12200) -> (217.217.217.217, 81) [53020]

*Oct 4 17:29:23.599: NAT*: TCP s=12200, d=81->80

*Oct 4 17:29:23.603: NAT*: s=83.34.16.82, d=217.217.217.217->192.168.0.19 [53020]

*Oct 4 17:29:29.607: NAT*: o: tcp (83.34.16.82, 12200) -> (217.217.217.217, 81) [53022]

*Oct 4 17:29:29.607: NAT*: TCP s=12200, d=81->80

*Oct 4 17:29:29.607: NAT*: s=83.34.16.82, d=217.217.217.217->192.168.0.19 [53022]

*Oct 4 17:30:29.775: NAT: expiring 217.217.217.217 (192.168.0.19) tcp 81 (80)

Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 217.217.217.217:21 192.168.0.3:21 --- ---

tcp 217.217.217.217:3389 192.168.0.3:3389 --- ---

tcp 217.217.217.217:81 192.168.0.19:80 83.34.16.82:12202 83.34.16.82:12202

tcp 217.217.217.217:81 192.168.0.19:80 --- ---

Thank you in advance!

rajinikanth · ‎10-04-2006

Hi,

your nat statement

ip nat inside source static tcp 192.168.0.19 80 interface ATM0/0/0.2 81

Why are you using port 81 instead of port 80 Global IP(atm0/0/0.2 81)

Are you trying to reach the web server from outside using port 81

example x.x.x.x:81

or change the your nat statement to:

ip nat inside source static tcp 192.168.0.19 80 interface ATM0/0/0.2 80

HTH

Thanks,

Raj

kirilkoltchakov · ‎10-04-2006

Hi Raj,

yes I type in my web browser X.X.X.X:81. I try in my FTP softwaer X.X.X.X but without reach it.

But localy I get in the web-server and ftp-server whithout any problem.

Tnahk you.

rajinikanth · ‎10-04-2006

Hi,

Can you post me ur show ip route output

Thanks

Raj

kirilkoltchakov · ‎10-04-2006

Yes, I can:

Router#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

217.217.217.0/26 is subnetted, 1 subnets

C 217.217.217.0 is directly connected, ATM0/0/0.2

C 192.168.0.0/24 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 is directly connected, ATM0/0/0.2

My server is 192.168.0.3 but I install a web-server and ftp server on pc with 192.168.0.19 to check if the possible problem is the server. But it is not I think.

I have nat from port 81 to 80, because I have switchet on the http server on the 2811 and if I type the public IP address it's "open" the router 2811.

Tnx

Kiril.

rajinikanth · ‎10-04-2006

Hi,

I find all ur config fine .

Try to change this statement

ip nat inside source static tcp local ip 80 wan ip 81 extendable

for additional information check this site

http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a8d0.shtml

HTH

Thanks

Raj

kirilkoltchakov · ‎10-04-2006

Hi Raj,

when I introduce it the router "says":

% similar static entry (192.168.0.19 -> 217.217.217.217) already exists

I delete the "original" and post yours:

ip nat inside source static tcp 192.168.0.3 80 217.217.217.217 81 extendable

There is a document that describes the web-server from outside, I think I did anythink:

http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml

Maybe I go to delete the configuration and begin from 0.

Thank you

rajinikanth · ‎10-04-2006

Hi,

Thats a good idea to start from first..

Good luck

Thanks

Raj

kirilkoltchakov · ‎10-04-2006

Hi Raj,

No solution, with the configuration from the link you send to me - the result is the same - can't connect "inside".

Thank You.

sundar.palaniappan · ‎10-07-2006

Hi,

Can you remove the static NAT config using the ATM0/0/0.2 interface and replace it with the static command to use the global IP instead as follows.

no ip nat inside source static tcp 192.168.0.19 80 interface ATM0/0/0.2 81

ip nat inside source static tcp 192.168.0.19 80 217.217.217.217 81 extendable

Let us know if this helps!!

HTH

Sundar

oliver.burgis · ‎11-04-2006

Hi,

I am having a similar configuration. I have an internal web server that is reachable from the internet, but when an internal client tries to access this web server from the inside with its DNS name, the connection fails. In fact, NAT takes palce for the connection from the inside client to the outside router interface, but then the statical NAT from the outside back in to the web server does not work.

Any idea?

Regards,

Oliver

kirilkoltchakov · ‎11-04-2006

Hello,

I think that your inside connection don't have to go out and than in the ethernet. do you have a lan dns server? check if a "A" register for the name of the web server is assigned.

if you don't have a internal dns server, the problem could be a type of your IP DHCP about of WINS client (b-node, p-node, m-node, h-node - more detail: http://support.microsoft.com/kb/160177) - if the type is only to search the dns server without broadcasting then the client will go out do outside DNS server to resolve the ip address of your internal web server - and he does not be find it.

Regards, Kiril.

wpharaon · ‎11-06-2006

Dear kirilkoltchakov,

You mentioned that you type in your web browser x.x.x.x:81, note that if your webserver is running on port 81 then on the nat statemnet we should have the port 81 associated with the internal ip address, (192.168.0.19 81)

ip nat inside source static tcp 192.168.0.19 81 interface ATM0/0/0.2 81

leave it on the external interface 81 for now and try it http://External.IP.Add:81

kirilkoltchakov · ‎11-06-2006

Hi wpharaon,

yes is that I do, but can't reach inside in my LAN:

Thang you.

examples20001 · ‎11-07-2006

Hi,

Can you try like below:

ip nat inside source static tcp 192.168.0.19 80 217.217.217.217 81 route-map web_server_test

ip access-list extended web_server

permit ip host 192.168.0.19 any

route-map web_server_test permit 1

match ip address web_server

If it works, then same way setup for ftp and other ports.