Solved: Re:Static Nat - access local web server via internet

modal · ‎09-29-2013

Hi,

I'm trying to enable acces of my local web server over the internet

I can access the server locally via the ip address (http://192.168.1.7) on port 80

I have created an A record and pointed it to the public IP address x.x.x.76, which is within a block with my main public ip for internet x.x.x.74

However, when i try to access the web server over the internet, i fail

I have attached my router config

Using 4396 out of 262136 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname test

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no logging console

!

no aaa new-model

!

ip cef

!

ip dhcp pool TEST

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 4.2.2.2

!

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

multilink bundle-name authenticated

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

ip address x.x.x.74 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248

ip nat inside source list 23 pool TEST overload

ip nat inside source static tcp 192.168.1.3 25 x.x.x.74 25 extendable

ip nat inside source static tcp 192.168.1.3 110 x.x.x.74 110 extendable

ip nat inside source static tcp 192.168.1.3 443 x.x.x.74 443 extendable

ip nat inside source static tcp 192.168.1.7 80 x.x.x.76 80 extendable

ip nat inside source static tcp 192.168.1.7 443 x.x.x.76 443 extendable

ip route 0.0.0.0 0.0.0.0 x.x.x.73

!

access-list 23 permit 192.168.1.0 0.0.0.255

!

control-plane

!

ate 20000 1000

!

end

Kindly help

John Blakley · ‎10-01-2013

I've labbed it up and I can't get it to fail with your config. Can you post "sh ip nat translat"?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

Lei Tian · ‎09-29-2013

Hi

Remove the server IP from dynamic nat access list, and try.

HTH,
Lei Tian

Sent from Cisco Technical Support Android App

modal · ‎10-01-2013

Thanks Lei

I'm not really a CISCO guy though

How should i do that?

Mike

John Blakley · ‎10-01-2013

Michael,

Try removing this line:

ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248

with "no ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248"

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

modal · ‎10-01-2013

Thanks John

I'm currently out of town but can acces the router via SSH & telnet

I cannot remove/destroy it as the pool is in use

Michael

John Blakley · ‎10-01-2013

I've labbed it up and I can't get it to fail with your config. Can you post "sh ip nat translat"?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

modal · ‎10-02-2013

Dear John

sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 192.168.1.7 197.221.128.76

tcp x.x.x.74:1033 192.168.1.2:1033 79.143.167.6:26394 79.143.167.6:26394

tcp x.x.x.74:1043 192.168.1.2:1043 186.38.22.148:6881 186.38.22.148:6881

tcp x.x.x.74:443 192.168.1.7:443 --- ---

Its a much longer list, just picked out a few lines

John Blakley · ‎10-02-2013

Is there a firewall between your router and this server? Do you have a translation for port 80? I see 443, but not 80. Does 443 work if you try to telnet into the port from the outside? (telnet x.x.x74 443). If the screen clears with a cursor in the upper left, it's open and you're getting to the server.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

modal · ‎10-03-2013

Thanks John

But i'm unable to telnet into it ... connection failed

I'm thinking it could be with .... ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248

i only specified one Public IP (x.x.x.74) ... should i specify the entire Block here like this

ip nat pool TEST x.x.x.74 x.x.x.78 netmask 255.255.255.248?

the Public IP for the web server is x.x.x.76

Just wondering

ashirkar · ‎10-11-2013

Hi Michal,

Hope you are doing well,

I have one question from your NAT translation table

When you use Static PAT ,you use

"

ip nat inside source static tcp (Inside local IP address= Actual device IP) <Local port on which devices are listening> (Inside global IP address = IP which is reachable on internet) <Global UDP/TCP port = Any Random Port>"

following command.

So in your case your statement would be

ip nat inside source static tcp 192.168.1.7 443 x.x.x.76 443

It mean ur inside local ip is 192.168.1.7 and inside global ip address is x.x.x.76, So when you do sh ip nat translation command it should like this

Pro Inside global Inside local Outside local Outside global

tcp x.x.x:76 192.168.1.7:443 --- ---

so first entry will be static entry and then ur dynamic session but your output is showing different 192.168.1.7 address is showing in outside local

I have creted one blog static Pat if want you can go through it.last month i deploy static PAT setup for one customer so it did work fine for them.

One more suggestion if you are using interface to PAT your inside IP address you can direclty Nat on it,you dont need seperate pool for it.Pool is required when you want to do dynamic PAT with multiple IP address

you can use following command:

ip nat inside source list 10 interface gig0/1 overload

Regards,

Ashish

modal · ‎10-11-2013

Dear Ashish

Thanks for the feedback. However, this issue has been sorted out and my routing configuration was fine

All i had to do was to change port number to 8080 and switch to my main IP as the .76 i got was not routable on the internet

Thanks

modal · ‎10-10-2013

John

The config was correct as you mentioned - ISP let me down with a non routable public IP

Thanks

Lei Tian · ‎10-02-2013

Hi Mike,

Just change your acl 23 to

access-list 23 deny host 192.168.1.7

access-list 23 permit 192.168.1.0 0.0.0.255

HTH,

Lei Tian

modal · ‎10-03-2013

Thanks Lei

I have done that but no luck

Could the error be from this line . . . .

ip nat pool UPMB x.x.x.74 .x.x.x.74 netmask 255.255.255.248?

i was thinking it should be this instead

ip nat pool UPMB x.x.x.74 .x.x.x.78 netmask 255.255.255.248

My Public IP block is from 74 to 78

thanks

Lei Tian · ‎10-03-2013

Hi Mike,

The 2nd one is correct, but it won't cause the issue that you have. If you change the NAT to

ip nat inside source static tcp 192.168.1.7 x.x.x.76 temporarily, can you ping .76 from internet?

HTH,

Lei Tian