Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static Nat - access local web server via internet

Hi,

I'm trying to enable acces of my local web server over the internet

I can access the server locally via the ip address (http://192.168.1.7) on port 80

I have created an A record and pointed it to the public IP address x.x.x.76, which is within a block with my main public ip for internet x.x.x.74

However, when i try to access the web server over the internet, i fail

I have attached my router config

Using 4396 out of 262136 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname test

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

no logging console

!

no aaa new-model

!

ip cef

!

!

!

!

ip dhcp pool TEST

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 4.2.2.2

!

!

!

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

multilink bundle-name authenticated

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

ip address x.x.x.74 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248

ip nat inside source list 23 pool TEST overload

ip nat inside source static tcp 192.168.1.3 25 x.x.x.74 25 extendable

ip nat inside source static tcp 192.168.1.3 110 x.x.x.74 110 extendable

ip nat inside source static tcp 192.168.1.3 443 x.x.x.74 443 extendable

ip nat inside source static tcp 192.168.1.7 80 x.x.x.76 80 extendable

ip nat inside source static tcp 192.168.1.7 443 x.x.x.76 443 extendable

ip route 0.0.0.0 0.0.0.0 x.x.x.73

!

access-list 23 permit 192.168.1.0 0.0.0.255

!

!

!

control-plane

!

!

ate 20000 1000

!

end

Kindly help

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Static Nat - access local web server via internet

I've labbed it up and I can't get it to fail with your config. Can you post "sh ip nat translat"?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
37 REPLIES
Cisco Employee

Re:Static Nat - access local web server via internet

Hi

Remove the server IP from dynamic nat access list, and try.

HTH,
Lei Tian


Sent from Cisco Technical Support Android App

New Member

Re:Static Nat - access local web server via internet

Thanks Lei

I'm not really a CISCO guy though

How should i do that?

Mike

Static Nat - access local web server via internet

Michael,

Try removing this line:

ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248

with "no ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248"

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re:Static Nat - access local web server via internet

Thanks John

I'm currently out of town but can acces the router via SSH & telnet

I cannot remove/destroy it as the pool is in use

Michael

Static Nat - access local web server via internet

I've labbed it up and I can't get it to fail with your config. Can you post "sh ip nat translat"?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re:Static Nat - access local web server via internet

Dear John

sh ip nat translations

Pro Inside global      Inside local              Outside local                     Outside global

--- ---                       ---                           192.168.1.7                       197.221.128.76

tcp x.x.x.74:1033    192.168.1.2:1033      79.143.167.6:26394            79.143.167.6:26394

tcp x.x.x.74:1043    192.168.1.2:1043      186.38.22.148:6881           186.38.22.148:6881

tcp x.x.x.74:443      192.168.1.7:443         ---                                    ---

Its a much longer list, just picked out a few lines

Re:Static Nat - access local web server via internet

Is there a firewall between your router and this server? Do you have a translation for port 80? I see 443, but not 80. Does 443 work if you try to telnet into the port from the outside? (telnet x.x.x74 443). If the screen clears with a cursor in the upper left, it's open and you're getting to the server.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Static Nat - access local web server via internet

Thanks John

But i'm unable to telnet into it ... connection failed

I'm thinking it could be with  .... ip nat pool TEST x.x.x.74 x.x.x.74 netmask 255.255.255.248

i only specified one Public IP (x.x.x.74) ... should i specify the entire Block here like this

ip nat pool TEST x.x.x.74 x.x.x.78 netmask 255.255.255.248?

the Public IP for the web server is x.x.x.76

Just wondering

Gold

Re:Static Nat - access local web server via internet

Hi Michal,

Hope you are doing well,

I have one question from your NAT translation table

When you use Static PAT ,you use

"

ip nat inside source static tcp (Inside local IP address= Actual device IP) <Local port on which devices are listening> (Inside global IP address = IP which is reachable on internet) <Global UDP/TCP port = Any Random Port>"

following command.

So in your case your statement would be

ip nat inside source static tcp 192.168.1.7 443 x.x.x.76 443

It mean ur inside local ip is 192.168.1.7 and inside global ip address is x.x.x.76, So when you do sh ip nat translation command it should like this

Pro Inside global      Inside local       Outside local      Outside global

tcp x.x.x:76      192.168.1.7:443     ---                ---

so first entry will be static entry and then ur dynamic session but your output is showing different 192.168.1.7 address is showing in outside local

I have creted one blog static Pat if want you can go through it.last month i deploy static PAT setup for one customer so it did work fine for them.

One more suggestion if you are using interface to PAT your inside IP address you can direclty Nat on it,you dont need seperate pool for it.Pool is required when you want to do dynamic PAT with multiple IP address

you can use following command:

ip nat inside source list 10 interface gig0/1 overload

Regards,

Ashish

New Member

Re:Static Nat - access local web server via internet

Dear Ashish

Thanks for the feedback. However, this issue has been sorted out and my routing configuration was fine

All i had to do was to change port number to 8080 and switch to my main IP as the .76 i got was not routable on the internet

Thanks

New Member

Re:Static Nat - access local web server via internet

John

The config was correct as you mentioned - ISP let me down with a non routable public IP

Thanks

Cisco Employee

Re:Static Nat - access local web server via internet

Hi Mike,

Just change your acl 23 to

access-list 23 deny  host 192.168.1.7

access-list 23 permit 192.168.1.0 0.0.0.255

HTH,

Lei Tian

New Member

Static Nat - access local web server via internet

Thanks Lei

I have done that but no luck

Could the error be from this line . . . .

ip nat pool UPMB x.x.x.74 .x.x.x.74 netmask 255.255.255.248?

i was thinking it should be this instead

ip nat pool UPMB x.x.x.74 .x.x.x.78 netmask 255.255.255.248

My Public IP block is from 74 to 78

thanks

Cisco Employee

Re:Static Nat - access local web server via internet

Hi Mike,

The 2nd one is correct, but it won't cause the issue that you have. If you change the NAT to

ip nat inside source static tcp 192.168.1.7 x.x.x.76 temporarily, can you ping .76 from internet?

HTH,

Lei Tian

New Member

Static Nat - access local web server via internet

Hi

I'm unable to ping x.x.x.76 form the internet after applying the nat

However, below are my active access lists

Standard IP access list 23

    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (138393 matches)

Extended IP access list 102

    10 permit tcp any eq smtp any eq smtp

Extended IP access list 123

    10 permit tcp any any

Could this hold the clue?

Thanks

Bronze

Re: Static Nat - access local web server via internet

I only see " ip nat inside".
This is for inside hosts makin connection to the outsider.

You need the other nat statement for outside access in " ip nat outside...."

Sent from Cisco Technical Support iPad App

Cisco Employee

Re:Static Nat - access local web server via internet

Hi Mike,

Where does ACL 102 and 123 applied to? I don't see that in your posted config. Do a show ip arp, do you see .76 in your arp table?

HTH,

Lei Tian

New Member

Re:Static Nat - access local web server via internet

Hi Lei

Both 102 and 123 apply to the outside interface. They were created when mail wasn't being routed, but it later occured to us that the firewall on the mail server was blocking port 25

Below is the irp table

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  192.168.1.1             -   7cad.74a8.c9c0  ARPA   GigabitEthernet0/0

Internet  192.168.1.2             0   0001.0250.b2dc  ARPA   GigabitEthernet0/0

Internet  192.168.1.3             0   Incomplete      ARPA

Internet  192.168.1.5             0   e839.35ee.b844  ARPA   GigabitEthernet0/0

Internet  192.168.1.7             -   7cad.74a8.c9c0  ARPA   GigabitEthernet0/0

Internet  192.168.1.19           55   1803.73ce.e59d  ARPA   GigabitEthernet0/0

Internet  192.168.1.20            7   0025.64b0.5f83  ARPA   GigabitEthernet0/0

Internet  192.168.1.27            1   00b2.02c9.03af  ARPA   GigabitEthernet0/0

Internet  192.168.1.31            0   b8ac.6f43.81c6  ARPA   GigabitEthernet0/0

Internet  192.168.1.34            0   b8ac.6f1e.4ee9  ARPA   GigabitEthernet0/0

Internet  192.168.1.36          218   6067.206c.7694  ARPA   GigabitEthernet0/0

Internet  192.168.1.38          217   6067.206c.7694  ARPA   GigabitEthernet0/0

Internet  192.168.1.40            8   0021.cccb.962b  ARPA   GigabitEthernet0/0

Internet  192.168.1.41           59   1c4b.d685.2c44  ARPA   GigabitEthernet0/0

Internet  192.168.1.57           50   0021.cccb.9637  ARPA   GigabitEthernet0/0

Internet  192.168.1.62            3   0021.cccb.95c5  ARPA   GigabitEthernet0/0

Internet  192.168.1.214           0   8c89.a5bc.1fac  ARPA   GigabitEthernet0/0

Internet  x.x.x.73                  31   0030.8801.aa7c  ARPA   GigabitEthernet0/1

Internet  x.x.x.74                    -   7cad.74a8.c9c1  ARPA   GigabitEthernet0/1

Internet  x.x.x.76                    -   7cad.74a8.c9c1  ARPA   GigabitEthernet0/1

Cisco Employee

Re:Static Nat - access local web server via internet

Hi Mike,

Can you try to remove acl 102 and 123? Can you also make sure provider is advertising your subnet? Try to trace .76 from the internet, see if it can reach the provider router. You can use http://network-tools.com/ for trace.

HTH,

Lei Tian

New Member

Re:Static Nat - access local web server via internet

I'm back in office now

Removed both ACLs but the trace from the internet is still not working

Cisco Employee

Re:Static Nat - access local web server via internet

Hi,

Where does the trace stop? Compare to the result for trace to .74, is there any difference?

HTH,

Lei Tian

New Member

Re:Static Nat - access local web server via internet

Thanks Lei

I managed to identify the problem - bloody ISP spoofed me into thinking .76 was routable over the internet!

I used .74 (its  know not recommended though) and natted to port 8080 and its working well.

I must say many thanks to you all, especially you Lei - Good skills man

I have to get my second Public IP up and change the config so it reduces my traffic

Thanks once again

I appreciate

Michael

Cisco Employee

Re:Static Nat - access local web server via internet

Hi Mike,

You welcome! Glad you found the issue.

HTH,

Lei Tian

New Member

Re:Static Nat - access local web server via internet

Do you happen to have any firewall configuration on the router ? The configuration on the router so far looks right.

Another thing is that you should be accessing the server via the public iP from outside, and you might want to make sure you are allowing access to that address and port on your firewall.


Sent from Cisco Technical Support Android App

New Member

Re:Static Nat - access local web server via internet

Thanks J. Wreh

I currently dont have any firewall rules running

I tried accessing it using the public ip from outside, but it fails

the guy at my ISP say i should deny some IP s access from the access-list (presuming its access-list 23) as its an overkill and is confusing the router

Its got me all confused now

lol

New Member

Re:Static Nat - access local web server via internet

I don't think that line is the problem. I have similar config on my 1921, and everything is working. Here's my config:
Ip nat pool xPOOL x.x.x.217 x.x.x.222 netmask 255.255.255.248
Ip nat inside source list INTERNET_ACCESS pool xPOOL overload
Ip nat inside source static tcp 192.168.2.5 80 x.x.x.218 80 extenable
Ip nat inside source static tcp 192.168.2.5 443 x.x.x.218 443 extenable

Ip access-list extended INTERNET_ACCESS
permit ip any any

That access-list does include everything. People do have access to my website from the Internet.

Sent from Cisco Technical Support Android App

New Member

Re:Static Nat - access local web server via internet

Hope this link helps you:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

That's Cisco Document ID:13778


Sent from Cisco Technical Support Android App

New Member

Re:Static Nat - access local web server via internet

Michael, could issue the following command and load the output here:

Show ip nat translations tcp I sec 192.168.1.7.


Sent from Cisco Technical Support Android App

New Member

Re:Static Nat - access local web server via internet

UPMB#show ip nat translations | sec 192.168.1.7

--- ---                ---                192.168.1.7        x.x.x.76

tcp x.x.x.76:443 192.168.1.7:443    ---                ---

tcp x.x.x.74:49523 192.168.1.72:49523 66.196.66.156:80 66.196.66.156:80

tcp x.x.x.74:49608 192.168.1.72:49608 66.196.120.100:80 66.196.120.100:80

tcp x.x.x.74:49676 192.168.1.72:49676 69.171.235.16:443 69.171.235.16:443

tcp x.x.x.74:1069 192.168.1.72:51231 69.171.235.16:443 69.171.235.16:443

tcp x.x.x.74:51334 192.168.1.72:51334 66.196.120.100:80 66.196.120.100:80

tcp x.x.x.74:51618 192.168.1.72:51618 173.252.100.27:443 173.252.100.27:44                                                                                        3

tcp x.x.x.74:51620 192.168.1.72:51620 2.22.234.8:80    2.22.234.8:80

tcp x.x.x.74:51621 192.168.1.72:51621 2.22.234.8:80    2.22.234.8:80

tcp x.x.x.74:51623 192.168.1.72:51623 66.196.66.156:80 66.196.66.156:80

tcp x.x.x.74:51626 192.168.1.72:51626 217.163.21.40:80 217.163.21.40:80

tcp x.x.x.74:52412 192.168.1.72:52412 173.252.100.27:443 173.252.100.27:44                                                                                        3

4062
Views
0
Helpful
37
Replies
CreatePlease to create content