12-26-2009 02:33 PM - edited 03-04-2019 07:04 AM
Hello,
I have setup a webpage written in IIS. The webpage allows contractors outside our coporate Network to login and fill in forms that i can process. I have a Cisco router sitting on the edge of our network. I want to secure this Cisco 1800 router so that it can only be used for accessing this particular web server page and nothing else. I want the Cisco router to be able to go out onto the internet - unrestricted. But from the outside world in - it can only hit this web server.
I have tried to setup the NAT on the router. I can successfully go out to the internet but cant hit the webpage coming back in. I have setup an Access List but it is obviously not quite right. Could anyone take a look at the config and see it they spot anything obvious.
In the mean time i have just installed a normal netgear router and used that instead until i get this Cisco 1800 router correctly configured. Any advice is welcome.
thanks
Kevin
Solved! Go to Solution.
01-05-2010 03:55 AM
Hi Kevin,
you need to have the dns service so that you can have a IP to name mapping. I don't know whether you have static IP address or not. if you have a static IP address then you can ask your service provider to add the dns record for your website onto the dns server. if you don't have static IP address then it will be difficult and you might require the dynamic dns service.
you can only test your webpage when you will be using the internet other than in your office. you can type your service provider IP address into the browser when using the internet outside of your current internet connection.
to get the current ip address of your service, you could type the command 'sh ip int brief'.
Regards
12-26-2009 03:36 PM
ohareka70 wrote:
Hello,
I have setup a webpage written in IIS. The webpage allows contractors outside our coporate Network to login and fill in forms that i can process. I have a Cisco router sitting on the edge of our network. I want to secure this Cisco 1800 router so that it can only be used for accessing this particular web server page and nothing else. I want the Cisco router to be able to go out onto the internet - unrestricted. But from the outside world in - it can only hit this web server.
I have tried to setup the NAT on the router. I can successfully go out to the internet but cant hit the webpage coming back in. I have setup an Access List but it is obviously not quite right. Could anyone take a look at the config and see it they spot anything obvious.
In the mean time i have just installed a normal netgear router and used that instead until i get this Cisco 1800 router correctly configured. Any advice is welcome.
thanks
Kevin
Kevin
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended OUTSIDE-IN
evaluate TO_REFLECT
permit ip any 192.168.20.0 0.0.0.255 reflect TO_REFLECT
Couple of things -
1) not sure what the line "permit ip any 192.168.20.0 0.0.0.255 reflect TO_REFLECT" is doing in this acl. As traffic coming from the internet will not use private addressing ie. 192.168.20.0/24 then i can't understand what this line is doing ?
2) To allow traffic to the webserver you will need
i) a static NAT
ii) an entry in the OUTSIDE-IN acl because the connection is initiated from outside.
so add these to your config
i) ip nat inside source static tcp 192.168.2.20 80 dialer0 80 <-- where 192.168.2.20 is the webserver address, replace with the real address
ii) modify your OUTSIDE-IN acl ie.
ip access-list extended OUTSIDE-IN
permit tcp any host x.x.x.x 80 <--- where x.x.x.x is the public address configured under your dialer0 interface
evaluate TO_REFLECT
as i mentioned above, not sure whether you need to the last line ie. "permit ip any 192.168.20.0 0.0.0.255 ...."
Jon
12-27-2009 12:31 AM
just to add to the perfect solution provided by Jon
if you use your WEB server over ssl as well
you may need to do it like this
ip nat inside source static tcp 192.168.2.20 80 dialer0 80 extendable
ip nat inside source static tcp 192.168.2.20 443 dialer0 443 extendable
and you can add what ever ports you need for the communications between outside connections and the webserver
good luck
if helpful Rate
12-27-2009 12:12 PM
I am back in work on Tuesday and i will give this a go. Thanks, Kevin
01-05-2010 02:53 AM
Hello again,
1) I was able to put in the static nat in
ip nat inside source static tcp 192.168.2.100 443 interface Dialer0 443
ip nat inside source static tcp 192.168.2.100 80 interface Dialer0 80
It wouldnt accept the extendable command (dont know why)
2) i modified the OUTSIDEinIN acl
ip access-list extended OUTSIDE-IN
evaluate TO_REFLECT
permit tcp any host x.x.x.x (which is the public address ie Dialer0)
it wouldnt take 80 after the x.x.x.x
Q. I think my next step is to be able to hit the web page from the outside world. I.e. i have a website called testwebsite.ourdomain.com
I can hit the webpage when i am connected to my wireless router but thats because i am inside the same room as the wireless router and i have the login credentials.
The router gives me an address in the range 192.168.2.0 - 192.168.2.254 and because the webpage is also on this range ie 192.168.2.100 then i can hit it.
But how can i hit this webpage from the outside world?
How can i give a user the webpage address of testwebsite.ourdomain.com and get them to display the page?
Do i put something in on the router or is this done somewhere else?
Any advice is appreciated.
01-05-2010 03:55 AM
Hi Kevin,
you need to have the dns service so that you can have a IP to name mapping. I don't know whether you have static IP address or not. if you have a static IP address then you can ask your service provider to add the dns record for your website onto the dns server. if you don't have static IP address then it will be difficult and you might require the dynamic dns service.
you can only test your webpage when you will be using the internet other than in your office. you can type your service provider IP address into the browser when using the internet outside of your current internet connection.
to get the current ip address of your service, you could type the command 'sh ip int brief'.
Regards
01-08-2010 08:23 AM
Hello again,
I now have an A record configured to point www.captrax2.niwater.com to xx.xxx.xxx.x which is my dialer0 address for the wireless cisco router in my office.
The website has an internal address of 192.168.2.100
The pc i have the website running on is cabled into the wireless router on fast ethernet 0/2
I want to be able to hit this website www.captrax2.niwater.com from the outside world. So if anyone can take a look at my config and advise what changes i need to make to be able to hit the site it would be appreciated.
i have attached the config of the cisco wireless routerf.
regards
Kevin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: