Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
221
Views
0
Helpful
1
Replies

871W - Translation to an internal Web server

tdholwerda
Level 1
Level 1

‎10-30-2013 06:46 AM - edited ‎03-04-2019 09:27 PM

Hello,

We're attempting to allow access to our internal web server from the Internet.  Unfortunately, we're not very familiar with the 871W as we typically install ASA's but this is a pre-existing device.  Below is the config.  Can someone please point out what we have misconfigured?  BTW - I did modify the actual external IP address to protect any holes that may exist with this configuration... 

Many thanks!

Troy

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname solcenter

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

no logging monitor

enable secret 5 $1$cRwn$SHl6w1Wq0E23oD6YQXitJ1

!

no aaa new-model

clock timezone PCTime 0

!

crypto pki trustpoint TP-self-signed-3906865615

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3906865615

revocation-check none

rsakeypair TP-self-signed-3906865615

!

!

crypto pki certificate chain TP-self-signed-3906865615

certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33393036 38363536 3135301E 170D3032 30333031 30303331

  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39303638

  36353631 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B663 81A81339 D1197089 6C5CC8BA 72B4EBCF ABC7EAFA D2697B3A 6A35A2AD

  17F73845 86AFF234 B4019C65 2D5BC160 0ABF665A 6BAC94F4 0ABB073C CA1A20E8

  02DE81D2 1581B7BB 4C7BF0C3 DB65D1C9 B74D61F9 2889673D 520AD61C A8886EF0

  D6116219 4F7B339D F8F14769 ADDF7CD2 27C4C1BA 817AE593 40B53C23 54515687

  425B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17736F6C 63656E74 65722E73 6F6C6365 6E746572 2E6F7267

  301F0603 551D2304 18301680 14733E00 C0529604 53EE7DD5 CA1D6222 92E6B105

  3F301D06 03551D0E 04160414 733E00C0 52960453 EE7DD5CA 1D622292 E6B1053F

  300D0609 2A864886 F70D0101 04050003 81810052 4A6AE1B7 6B69C819 17DFEA57

  D0DFF35A 29CC2CF8 74F6A882 5467B06B 4576B76B C92BB2A4 02D67074 67DAFD91

  CE577251 70679759 B98838B3 126208D6 911198FF 16277E84 7F5C2BD9 A005EB8F

  663FD427 6C18CDEE 9A83095A DEC16E36 C5D3FD4D C94641BF AC84B1F3 B1AAEF2A

  2B50281F 2EC28FC8 0EE1CD2D 62F73FE3 ED9E05

        quit

no ip source-route

ip cef

!

!

ip port-map user-protocol--1 port tcp 3389

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip bootp server

ip domain name solcenter.org

ip name-server 1.1.1.5

ip name-server 1.1.1.6

!

!

!

username admin privilege 15 secret 5 $1$e1A7$kWAsDBWpyIn4aAu/C.fYa1

username cetech privilege 15 secret 5 $1$XBzN$4gGA6FAQYPC2qIRRQV4Xt0

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-nat-http-4

match access-group 107

match protocol http

class-map type inspect match-all sdm-nat-http-5

match access-group 108

match protocol http

class-map type inspect match-all sdm-nat-http-6

match access-group 106

match protocol http

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 103

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-http-2

match access-group 105

match protocol http

class-map type inspect match-all sdm-nat-smtp-1

match access-group 101

match protocol smtp

class-map type inspect match-all sdm-nat-http-3

match access-group 106

match protocol http

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-protocol-http

match protocol http

class-map type inspect match-all sdm-nat-https-1

match access-group 104

match protocol https

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-smtp-1

  inspect

class type inspect sdm-nat-http-1

  inspect

class type inspect sdm-nat-user-protocol--1-1

  inspect

class type inspect sdm-nat-https-1

  inspect

class type inspect sdm-nat-http-2

  inspect

class type inspect sdm-nat-http-3

  inspect

class type inspect sdm-nat-http-4

  inspect

class type inspect sdm-nat-http-5

  inspect

class type inspect sdm-nat-http-6

  inspect

class class-default

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect

class class-default

policy-map type inspect sdm-permit

class class-default

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 1.1.1.2 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed auto

!

interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.10 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 1.1.1.2

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.205 80 interface FastEthernet4 80

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip 1.1.1.0 0.0.0.7 any

access-list 101 remark SDM_ACL Category=0

access-list 101 permit ip any host 192.168.1.2

access-list 102 remark SDM_ACL Category=0

access-list 102 permit ip any host 192.168.1.2

access-list 103 remark SDM_ACL Category=0

access-list 103 permit ip any host 192.168.1.2

access-list 104 remark SDM_ACL Category=0

access-list 104 permit ip any host 192.168.1.2

access-list 105 remark SDM_ACL Category=0

access-list 105 permit ip any host 192.168.1.205

no cdp run

!

!

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

password 7 1040592E550500020940

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Labels:
0 Helpful
1 Reply 1

cadet alain
VIP Alumni
VIP Alumni

‎10-31-2013 02:09 AM

Hi,

Did you change the internal IPs too ?

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

access-list 102 permit ip any host 192.168.1.2  Is this a typo ? it should be x.x.x.205

Also could you change the external port on Wan to 8080 in your NAT command and add this

ip port-map tcp http 8080

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card