cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1839
Views
0
Helpful
17
Replies

NAT Problem_Accessing Internal WebService

Leonireland_2
Level 1
Level 1

Hi Guys,

Ok i'm new to working with Routers (in the real world)

So i have a client who needs to access an internal server to access a web service. The web service should also be available to two ip address's (lets say 198.1.1.1 & 198.1.1.3) The Web Service uses port 80.

Ok so i entered a nat statement as follows:

ip nat inside source static tcp 192.168.1.5 80 interface dialer 0 80

This worked fine but all WAN ip address can access the webservice. I was thinking of creating an access list to tie down port 80 to the two wan addresses but then internal hosts will not be able to browse the internet.

Anybody have any ideas?

I'm thinking that i should be using a different port number for the webservice but not sure how to change it or what do do in the nat statment.

Please help

Kind regards

Leon

17 Replies 17

cadet alain
VIP Alumni
VIP Alumni

Hi,

you can accomplish this with a stateful firewall config like ZBF if you've got the IOS supporting it:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

Thank you for the quick reply. This is a very old cisco router 1701 ADSL Router. So i'm not sure if the IOS would support it??

Thanks for your help

Kind regards

Leon

Set up an ACL only allowing him to you..

Try it in conjunction with a Route Map..

Hi Danny,

Thanks for the reply...the problem i am having is if i write out an access list blocking port 80 the internal clients will not be able to go online.

The Webservice will work ok but the internal clients will not be able to access webpages online using port 80

Any other ideas?

Regards

Leon

Hi Leon,

Your not blocking anything, your natting with a route map and ACL.. ACL's can be used for more than permitting and denying, they can be used for BGP routes / QOS and all manor of things.

Or you can just use ACL's, your choice..

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

Give this a check..

Should help

Hi Danny,

afaik the static nat with the route-map won't work here as it isn't supported when natting on the interface, if he had natted to an IP it would have worked without any problem.

Regards.

Alain

Don't forget to rate helpful posts.

It should work, but I need more clarification as to what is trying to be achieved.

So how many external IP's do we have?

Your customer is external? (That means over the internet)? (VPN / MPLS would be internal)..

So your litteraly trying to go from

198.1.1.1 & 198.1.1.3 to 192.168.1.5?

If it can be mapped out a little more logical, I will be able to come up with something.

Hi,

He is natting on the dialer interface so it is surely having a dhcp leased address by the ISP so it won't work as the route-map option is only supported when natting to an IP.

Regards.

Alain

Don't forget to rate helpful posts.

Might not be DHCP on the dialer, I agree that if it is then there is a problem. (Sorry for assuming)

You should Ideally be doing one to one static NAT's.

Even with a standard business DSL you get a small pool of external IP's, You can enable CBAC.. But still it's not an ideal scenario.

Hi Lads,

Thank you for all your input.

Ok just to clarify a few things. I have been given 2 external IP address they must contact an internal server (WebService)

I already have a static nat statement on the router which  is working fine. The public ip on the site is static. It is not a DHCP address from the ISP.

So as of now everything is working fine. Except i the entire world could be accessing the webservice. I only want 2 specific external IP to be able to access it.

Again this web service is using port 80. So if i configure the following access list it will permit traffic from from the extermal host to my inside ip. But the second line will do that anyway. Also if i write a permit access-list to from the external ip to the specific internal ip it will then block all other traffic using port 80. All internal clients need to get out to the internet using port 80

access-list 175 permit tcp host 89.0.0.1 host 192.168.1.5 eq 80

access-list 175 permit tcp any any eq 80

Should i be using a route-map or Nat (another configuration) or an accesslist?

Thanks again

Leon

Hi,

So if you've got a static public IP then the solution with the static PAT with a route-map proposed by Dany will work indeed.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Alain,

Ok i'm a little confused i seem to be unable to use route-map with nat it does not give me the option. Please find below my current config:

-----------------------------------------------------------------------------------

External Ip addresses:     198.0.0.1 & 192.0.0.2

Internal Server:    192.168.1.5

Web Service using port 80

---------------------------------------------------------

conf t

ip nat inside source static tcp 192.168.1.5 80 interface dialer 0 80

//This above line is allowing external clients to connect to the server

------------------------------------------------------------

//But i now need to only allow 2 external clients to contact the server, so here is what i am thinking but this could be Rubbish??? The below line ("route-map Web_Service" is coming up as Invalid)

ip nat inside source static 192.168.1.5 interface dialer 0 route-map Web_Service

route-map Web_Service permit 10

match ip address 102

set ip next-hop 192.168.1.5

access-list 102 permit ip host 198.0.0.1 host 192.168.1.5

access-list 102 permit ip host 192.0.0.2 host 192.168.1.5

If anyone could give me an example of how i can configure the router that would be great.

Thanks again for all the help

Regards

Leon

Hi,

You can try this:

access-list 102 permit tcp host 198.0.0.1 any eq 80

access-list 102 permit tcp host 192.0.0.2 any eq 80

route-map Web_Service permit 10

match ip address 102

ip nat inside source static  192.168.1.5   x.x.x.x  route-map Web_Service

Regards.

Alain

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco