cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1104
Views
0
Helpful
6
Replies

NAT routing

ohareka70
Level 3
Level 3

Hello,

I have setup a webpage written in IIS.  The webpage allows contractors outside our coporate Network to login and fill in forms that i can process.  I have a Cisco router sitting on the edge of our network.  I want to secure this Cisco 1800 router so that it can only be used for accessing this particular web server page and nothing else.  I want the Cisco router to be able to go out onto the internet - unrestricted.  But from the outside world in - it can only hit this web server.

I have tried to setup the NAT on the router.  I can successfully go out to the internet but cant hit the webpage coming back in.  I have setup an Access List but it is obviously not quite right.  Could anyone take a look at the config and see it they spot anything obvious.

In the mean time i have just installed a normal netgear router and used that instead until i get this Cisco 1800 router correctly configured.  Any advice is welcome.

thanks

Kevin

1 Accepted Solution

Accepted Solutions

Hi Kevin,

you need to have the dns service so that you can have a IP to name mapping. I don't know whether you have static IP address or not. if you have a static IP address then you can ask your service provider to add the dns record for your website onto the dns server. if you don't have static IP address then it will be difficult and you might require the dynamic dns service.

you can only test your webpage when you will be using the internet other than in your office. you can type your service provider IP address into the browser when using the internet outside of your current internet connection.

to get the current ip address of your service, you could type the command 'sh ip int brief'.

Regards

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

ohareka70 wrote:

Hello,

I have setup a webpage written in IIS.  The webpage allows contractors outside our coporate Network to login and fill in forms that i can process.  I have a Cisco router sitting on the edge of our network.  I want to secure this Cisco 1800 router so that it can only be used for accessing this particular web server page and nothing else.  I want the Cisco router to be able to go out onto the internet - unrestricted.  But from the outside world in - it can only hit this web server.

I have tried to setup the NAT on the router.  I can successfully go out to the internet but cant hit the webpage coming back in.  I have setup an Access List but it is obviously not quite right.  Could anyone take a look at the config and see it they spot anything obvious.

In the mean time i have just installed a normal netgear router and used that instead until i get this Cisco 1800 router correctly configured.  Any advice is welcome.

thanks

Kevin

Kevin

ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended OUTSIDE-IN
evaluate TO_REFLECT
permit ip any 192.168.20.0 0.0.0.255 reflect TO_REFLECT

Couple of things -

1) not sure what the line "permit ip any 192.168.20.0 0.0.0.255 reflect TO_REFLECT" is doing in this acl. As traffic coming from the internet will not use private addressing ie. 192.168.20.0/24 then i can't understand what this line is doing ?

2) To allow traffic to the webserver you will need

    i)  a static NAT

   ii)  an entry in the OUTSIDE-IN acl because the connection is initiated from outside.

so add these to your config

i)  ip nat inside source static tcp 192.168.2.20 80 dialer0 80    <-- where 192.168.2.20 is the webserver address, replace with the real address

ii) modify your OUTSIDE-IN acl ie.

   ip access-list extended OUTSIDE-IN

     permit tcp any host x.x.x.x 80   <--- where x.x.x.x is the public address configured under your dialer0 interface

     evaluate TO_REFLECT

as i mentioned above, not sure whether you need to the last line ie. "permit ip any 192.168.20.0 0.0.0.255 ...."

Jon

just to add to the perfect solution provided by Jon

if you use your WEB server over ssl as well

you may need to do it like this

ip nat inside source static tcp 192.168.2.20 80 dialer0 80 extendable

ip nat inside source static tcp 192.168.2.20 443 dialer0 443 extendable

and you can add what ever ports you need for the communications between outside connections and the webserver

good luck

if helpful Rate

I am back in work on Tuesday and i will give this a go.  Thanks, Kevin

Hello again,

1) I was able to put in the static nat in

ip nat inside source static tcp 192.168.2.100 443 interface Dialer0 443
ip nat inside source static tcp 192.168.2.100 80 interface Dialer0 80

It wouldnt accept the extendable command (dont know why)

2) i modified the OUTSIDEinIN acl

ip access-list extended OUTSIDE-IN
evaluate TO_REFLECT
permit tcp any host x.x.x.x (which is the public address ie Dialer0)

it wouldnt take 80 after the x.x.x.x

Q.  I think my next step is to be able to hit the web page from the outside world.  I.e. i have a website called testwebsite.ourdomain.com

I can hit the webpage when i am connected to my wireless router but thats because i am inside the same room as the wireless router and i have the login credentials. 

The router gives me an address in the range 192.168.2.0 - 192.168.2.254 and because the webpage is also on this range ie 192.168.2.100 then i can hit it.

But how can i hit this webpage from the outside world?

How can i give a user the webpage address of testwebsite.ourdomain.com and get them to display the page?

Do i put something in on the router or is this done somewhere else?

Any advice is appreciated.

Hi Kevin,

you need to have the dns service so that you can have a IP to name mapping. I don't know whether you have static IP address or not. if you have a static IP address then you can ask your service provider to add the dns record for your website onto the dns server. if you don't have static IP address then it will be difficult and you might require the dynamic dns service.

you can only test your webpage when you will be using the internet other than in your office. you can type your service provider IP address into the browser when using the internet outside of your current internet connection.

to get the current ip address of your service, you could type the command 'sh ip int brief'.

Regards

Hello again,

I now have an A record configured to point www.captrax2.niwater.com to xx.xxx.xxx.x which is my dialer0 address for the wireless cisco router in my office.

The website has an internal address of 192.168.2.100

The pc i have the website running on is cabled into the wireless router on fast ethernet 0/2

I want to be able to hit this website www.captrax2.niwater.com  from the outside world.  So if anyone can take a look at my config and advise what changes i need to make to be able to hit the site it would be appreciated.

i have attached the config of the cisco wireless routerf.

regards

Kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: