Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

NAT Problem_Accessing Internal WebService

Hi Guys,

Ok i'm new to working with Routers (in the real world)

So i have a client who needs to access an internal server to access a web service. The web service should also be available to two ip address's (lets say 198.1.1.1 & 198.1.1.3) The Web Service uses port 80.

Ok so i entered a nat statement as follows:

ip nat inside source static tcp 192.168.1.5 80 interface dialer 0 80

This worked fine but all WAN ip address can access the webservice. I was thinking of creating an access list to tie down port 80 to the two wan addresses but then internal hosts will not be able to browse the internet.

Anybody have any ideas?

I'm thinking that i should be using a different port number for the webservice but not sure how to change it or what do do in the nat statment.

Please help

Kind regards

Leon

Everyone's tags (2)
17 REPLIES
Purple

Routing from outside to a specific address

Hi,

you can accomplish this with a stateful firewall config like ZBF if you've got the IOS supporting it:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Regards.

Alain

Don't forget to rate helpful posts.
New Member

NAT Problem_Accessing Internal WebService

Hi Alain,

Thank you for the quick reply. This is a very old cisco router 1701 ADSL Router. So i'm not sure if the IOS would support it??

Thanks for your help

Kind regards

Leon

New Member

NAT Problem_Accessing Internal WebService

Set up an ACL only allowing him to you..

Try it in conjunction with a Route Map..

New Member

NAT Problem_Accessing Internal WebService

Hi Danny,

Thanks for the reply...the problem i am having is if i write out an access list blocking port 80 the internal clients will not be able to go online.

The Webservice will work ok but the internal clients will not be able to access webpages online using port 80

Any other ideas?

Regards

Leon

Purple

NAT Problem_Accessing Internal WebService

New Member

NAT Problem_Accessing Internal WebService

Hi Leon,

Your not blocking anything, your natting with a route map and ACL.. ACL's can be used for more than permitting and denying, they can be used for BGP routes / QOS and all manor of things.

Or you can just use ACL's, your choice..

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

Give this a check..

Should help

Purple

NAT Problem_Accessing Internal WebService

Hi Danny,

afaik the static nat with the route-map won't work here as it isn't supported when natting on the interface, if he had natted to an IP it would have worked without any problem.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

NAT Problem_Accessing Internal WebService

It should work, but I need more clarification as to what is trying to be achieved.

So how many external IP's do we have?

Your customer is external? (That means over the internet)? (VPN / MPLS would be internal)..

So your litteraly trying to go from

198.1.1.1 & 198.1.1.3 to 192.168.1.5?

If it can be mapped out a little more logical, I will be able to come up with something.

Purple

NAT Problem_Accessing Internal WebService

Hi,

He is natting on the dialer interface so it is surely having a dhcp leased address by the ISP so it won't work as the route-map option is only supported when natting to an IP.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

NAT Problem_Accessing Internal WebService

Might not be DHCP on the dialer, I agree that if it is then there is a problem. (Sorry for assuming)

You should Ideally be doing one to one static NAT's.

Even with a standard business DSL you get a small pool of external IP's, You can enable CBAC.. But still it's not an ideal scenario.

New Member

Re: NAT Problem_Accessing Internal WebService

Hi Lads,

Thank you for all your input.

Ok just to clarify a few things. I have been given 2 external IP address they must contact an internal server (WebService)

I already have a static nat statement on the router which  is working fine. The public ip on the site is static. It is not a DHCP address from the ISP.

So as of now everything is working fine. Except i the entire world could be accessing the webservice. I only want 2 specific external IP to be able to access it.

Again this web service is using port 80. So if i configure the following access list it will permit traffic from from the extermal host to my inside ip. But the second line will do that anyway. Also if i write a permit access-list to from the external ip to the specific internal ip it will then block all other traffic using port 80. All internal clients need to get out to the internet using port 80

access-list 175 permit tcp host 89.0.0.1 host 192.168.1.5 eq 80

access-list 175 permit tcp any any eq 80

Should i be using a route-map or Nat (another configuration) or an accesslist?

Thanks again

Leon

Purple

NAT Problem_Accessing Internal WebService

Hi,

So if you've got a static public IP then the solution with the static PAT with a route-map proposed by Dany will work indeed.

Regards.

Alain.

Don't forget to rate helpful posts.
New Member

NAT Problem_Accessing Internal WebService

Hi Alain,

Ok i'm a little confused i seem to be unable to use route-map with nat it does not give me the option. Please find below my current config:

-----------------------------------------------------------------------------------

External Ip addresses:     198.0.0.1 & 192.0.0.2

Internal Server:    192.168.1.5

Web Service using port 80

---------------------------------------------------------

conf t

ip nat inside source static tcp 192.168.1.5 80 interface dialer 0 80

//This above line is allowing external clients to connect to the server

------------------------------------------------------------

//But i now need to only allow 2 external clients to contact the server, so here is what i am thinking but this could be Rubbish??? The below line ("route-map Web_Service" is coming up as Invalid)

ip nat inside source static 192.168.1.5 interface dialer 0 route-map Web_Service

route-map Web_Service permit 10

match ip address 102

set ip next-hop 192.168.1.5

access-list 102 permit ip host 198.0.0.1 host 192.168.1.5

access-list 102 permit ip host 192.0.0.2 host 192.168.1.5

If anyone could give me an example of how i can configure the router that would be great.

Thanks again for all the help

Regards

Leon

Purple

NAT Problem_Accessing Internal WebService

Hi,

You can try this:

access-list 102 permit tcp host 198.0.0.1 any eq 80

access-list 102 permit tcp host 192.0.0.2 any eq 80

route-map Web_Service permit 10

match ip address 102

ip nat inside source static  192.168.1.5   x.x.x.x  route-map Web_Service

Regards.

Alain

Don't forget to rate helpful posts.
Bronze

NAT Problem_Accessing Internal WebService

If you have 2 public ip addresses why not use one for those 2 hosts you need and the other one for all other hosts to go surfing the net.

If your webService is at 192.1.1.1

access-list 102 permit tcp host 192.168.1.5 80 host 192.1.1.1 eg 80

access-list 102 permit tcp host 192.168.1.6 80 host 192.1.1.1 eg 80

ip nat inside source list 102 interface dialer0 overload

ip nat inside source static 192.168.1.0 255.255.255.0 192.1.1.3 overload

Hope this helps

Eugen

New Member

NAT Problem_Accessing Internal WebService

Hi Lads,

Alain i have tried what you mentioned...All configuration went onto the router fine. Put i am still having trouble locking the outside global address down.

Below is my nat configuation:

ip nat inside source static 192.168.1.5 x.x.x.x route-map Web_Service

// x.x.x.x = WAN ip of the site that i am configuring the router

access-list 102 permit tcp host 198.0.0.1 any eq 80

access-list 102 permit tcp host 198.0.0.2 any eq 80

route-map Web_Service permit 10

match ip address 102

-----------------------------------------------------------------------------------------------------------

Using the above configuration the Web Service can be accessed by any WAN ip address. The above statment did not lock the Remote WAN ip addresses down (198.0.0.1 & 198.0.0.2)

If the remove the nat statement the Web Service becomes offline.

Thanks again lads for all your help.

I think we are nearly there...maybe ACL needs to be tweaked?

Regards

Leon

Purple

NAT Problem_Accessing Internal WebService

Hi,

I had never implemented such a feature and I thought it would work but I tried it on GNS3 and I fiddled with it but couldn't achieve your goal.

Definitely the stateful firewall option seems the easier one and I'm sure it will work.

if you want a config I will provide it but you have to tell me which traffic you want from outside to inside and also which traffic originated by the router you want.(tell me if you want both CBAC and ZBF or only one of them).

Regards.

Alain

Don't forget to rate helpful posts.
1171
Views
0
Helpful
17
Replies
CreatePlease to create content