A router. A webserver. And NAT.


- I've got a 4 computer home network, where one of them is a newly installed linux box running apache on port 80.
- I've got an Alcatel SpeedTouch Pro as my router which is 'Always-on'.
- When i get a http request it directs to the web interface of the modem. (major security issue)
I want it to direct all requests on port 80 to the linux box ( static ip).

After some research I found that the way to do this is telnet to the router and type:
user: user
[nat]=>  create protocol=tcp inside_addr= inside_port=80 outside_addr=0 outside_port=80

but i get a "Failed to create static NAT entry".

any help would be greatly appriciated...

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Might be because a NAT entry already exists for port 80.
try this

after user:user

=>nat list

this will show what you have set up at the moment.  I imagine that there is a setting in there already for port 80 tcp and therefore will not allow another.  First of all make a note of the address in that list, (just in case you need to reapply them) then:

=>nat delete protocol=tcp inside_addr=xxx.xxx.xxx.xxx inside_port=80 outside_addr=xxx.xxx.xxx.xxx outside_port=xxxx

obviously fill in the x's with the information you noted down about the existing connection.  Now:

=>nat list

and see that the existing entry has gone.  And now to add the connection:

=>nat create protocol=tcp inside_addr= inside_port=80 outside_addr=0 outside_port=0

Give that a whirl let me know how you get on

11odsAuthor Commented:

There's nothing using up port 80 according to the 'list'.

basically there's a table:

inside addr: port     outside addr:port      forgn addr: port       xx.xx.xx.xxx:13305       xx.xx.xx.xxx:15506       xx.xx.xx.xxx:15507

WHERE: is the compuer i am using now (winxp).
xx.xx.xx.xxx is my real ip
and the rest of the Ip's i have no idea what they are or how they got there.

reckon its safe to delete everything?
If the router has a web interface configure it to use a port other than 80, like 9980 for example.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

11odsAuthor Commented:
I've just had a look around and there are no known issues with port 80 on this router so try the following, remember the nat save command:

nat create protocol=tcp inside_addr= inside_port=80 outside_addr=0 outside_port=80

nat save

If that doesn't work, try sending ALL traffic to this pc:

nat defserver addr

nat save

This is just for testing purposes, don't leave it configured like that, it's a big security hole.
11odsAuthor Commented:

the first line didnt work, same error as before...

but when i set the default server there was no error....

So it works with the nat defserver addr ? Is the website on the Linux box a secure HTTPS site? If so, forward tcp port 443.

Alternatively, try it in this format:

nat create protocol=tcp inside_addr= outside_addr=

11odsAuthor Commented:
yup drev001,
works with the defserver,
the website isnt https...

and the alternative method "nat create protocol=tcp inside_addr= outside_addr="

gave me the same error...
annoying isnt it.

Very annoying. How about a firmware upgrade?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pardon me for asking, - (I'm not familiar with the specific model) don't you have to login at admin level and go to a config level before issuing the command?
11odsAuthor Commented:
nope svenkarlsen.

just tried it and still the same problem.
its amazing what i just stumbled apon:

Taken from: http://adsl.cutw.net/alcatel-stpro-natpat.txt
"Failed to create static NAT entry.
 This is due to the Active Software Version you have on the Pro modem -
it will be more than likely to be the following version: KHDSAA.132"

which happens to be the version i'm running.
Going to go try and update it now..

11odsAuthor Commented:
well now it lets me enter the nat and save it ...

but when i browse to my ip address in the browser the browser just hangs for a long time
and then gives me a cannot find server error... instead of forwarding me to my internal ip

... and just when i thought it was almost fixed
i think you have to remove the defserver entry now
You will probably have to change to EXPERT mode before trying to configure NAT/PAT, - see:


Kind regards,
Sven Karlsen
11odsAuthor Commented:
defserver was removed ... still nothing..

and i tried setting the NAT in expert mode..

it adds the ip and the port in the table...

and should be working..
but its just not forwarding.

have you enabled NAT/PAT?

nat enable addr=[??] type=pat

Try setting the defserver again, and enabling pat for that address
If that doesn't work, try enabling pat for the outside interface (it's a bit unclear if its source or target you enable here)

I'd normally expect that you should use your outside address instead of '0' for outside address:
     nat create protocol=tcp inside_addr= inside_port=80 outside_addr=[!!] outside_port=80

But leave that for now, - this router may use 0 as synonym for 'outside interface'

Sven, on this router i think that the 0 for outside address signifies "any incoming"
OK, - expected so as there was no IF identifiers in the config manual.

11odsAuthor Commented:
here is the exact copy-and-paste from the telnet window.. maybe it will help.
i've replaced my ip with xxx's.

User : user
*                             ______
*                         ___/_____/\
*                        /         /\\ ALCATEL ADSL MODEM
*                  _____/__       /  \\
*                _/       /\_____/___ \   Version 3.2
*               //       /  \       /\ \
*       _______//_______/    \     / _\/______ Copyright 1999-2000.
*      /      / \       \    /    / /        /\
*   __/      /   \       \  /    / /        / _\__
*  / /      /     \_______\/    / /        / /   /\
* /_/______/___________________/ /________/ /___/  \
* \ \      \    ___________    \ \        \ \   \  /
*  \_\      \  /          /\    \ \        \ \___\/
*     \      \/          /  \    \ \        \  /
*      \_____/          /    \    \ \________\/
*           /__________/      \    \  /
*           \   _____  \      /_____\/
*            \ /    /\  \    /
*             /____/  \  \  /
*             \    \  /___\/
*              \____\/
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1  17    xx.xxx.xxx.xxx:137  11
 20    10
   2   6   xx.xxx.xxx.xxx:59126  1
 60    1
   3   6   xx.xxx.xxx.xxx:59937   1
 8     5
   4   6   xx.xxx.xxx.xxx:59936   1
 8     5
   5   6   xx.xxx.xxx.xxx:59938   1
 8     5
   6   6   xx.xxx.xxx.xxx:59935   1
 8     5
   7   6     xx.xxx.xxx.xxx:80       insta
   8   6         templ
addr =
[type] = pat
Failed to set NAT.

i have no idea why (my winxp box) is in the table, or what the rest of the ip's are there for. the only ones i entered in are with the internal ip (my linux box).

The NAT/PAT table shows both dynamic and static mappings, - i.e. when you access something on the internet, the router will make an entry in the NAT/PAT table. So what you see is the result of NAT when you browse, - don't mind the varying port numbers, that's a necessity to perform NAT.

As far as I can see, your linux box is already mapped as required. Try a power cycle on the router and see how much is left in the table when if comes up again (disconnect winxp box and external cable when you boot (if possible...), to avoid any entries caused by access attempts).

I think it would be a good idea to start on a fresh router config...
A Reset to Factory Defaults is often a good idea after a firmware update on these cheapo routers.
11odsAuthor Commented:
Ok,  well...

I disconnected the winxp box, reset factory defaults, had only the linux box connected,
and still I cant access it from my external IP. I tried enableing the Nat/pat again after all this, as sven suggested earlier, but still I get the same "Failed to set NAT".

any other suggestions ?

Sure, - you'll give in before I run out of options ;-)

Ok, - next suggestion: when you've reset to factory defaults, it seems like the router sets defserver. Check the nat list, - try deleting any entry and get a clear nat table.

With a verified clear NAT-table, try booting the router and make an attemt to configure NAT/PAT again.

11odsAuthor Commented:
do you think all this could be configured remotly.. given my Ip address?

if you see what i'm getting at...

sorry, - that's beyond the rules of this forum: any aid must be performed in free contest and fully trackable in the exchange of comments.

I know it may feel a bit silly at first thought, - but say I agreed on the task and we took it somewhere private (via mail or like), - then I got you in a fix, and suddenly I suggest some fee of sorts!?

Hope you see the point, - I (and and everyone here) works for the honor, and that sets some demand for ethics.

(now, let's turn of the violins, and get on we the task;-)

You could try posting a claim for closure/reclaim of posted points, and repost the question under Networking/ADSL or like, - I would not object, because I have not been able to help you, and a new, shorter thread may make it more likely that other (more competent than I) will throw a glance at your problems.

Kind regards,
Just found an article online stating that it is because of your active software version, as drev has stated previously you should be on 134 which can be downloaded from here

11odsAuthor Commented:
when drev suggested it I upgraded to KHDSAA.134,

and when it didnt solve the problem I went out looking for a newer version...

So right now i'm using Khdsaa3.270

Thanks Yorkie.
Just making 100% sure: you ARE able to connect to your linux-box port 80 from inside subnet ;-)

(no offence intended, - but sometimes (like with RedHat 9) people forget to enable the basic functions when installing the firewall)
11odsAuthor Commented:
Yup. in my browser and i see my linux box .......  :)

Here's something I noticed that might be helpful:

BEFORE I entered the information in the NAT tables to route to my linux box on port 80,
all requests on port 80 would route to the web interface of the router.

NOW that its supposed to be routing, the browser just hangs, and eventually gives me a 'could not find server error'.

Hope this helps in any way!

Then you should probably search the config for some part that configures which port the router will use for http-interface, - when you find it, reconfig it to something like port 8080 or similar.
11odsAuthor Commented:
Cant find it....

OK guys. i feel like we've given up here....
A little dissappointed.. but....

how about we redesign the home network?  right now it looks like this:

           [speed touch] (  (dhcp serv.)
    |        |            |         |
  [XP]    [linux]  [w98]     [w98]

how can i make the linux box available to the outside world, and the rest not?

this maybe:?

           [speed touch] (
             [linux] (dhcp serv)
    |        |            |        
  [XP]    [w98]     [w98]

Sorry if this is ridicules :)

but would this solve the problem?
No, - but it would require an extra NIC in your Linux box (and probably installing Masquerade on it).

But I don't see how you expect this to solve the e-mail problem in the router ?
Looking back, I see that the defserver command seemed to work fine, - only you apparently set it to and not the IP of your Linux box. Have you tried setting defserver to your Linux box IP ?
11odsAuthor Commented:
i set the defserver to,
it was drev001 that in his example set it to ...


during all these attempts, I fail to see that we remebered to allow incoming traffic on port 80 in the firewall, - is that correct ?

If so, - you might want to test this:

1. Set defserver
2. In firewall, config to allow incoming traffic on port 80

there is a third party application called alcatool, which improves on the alcatel web interface, might like to give it a try, http://www.nubz.org/alcatool/Download.html
11odsAuthor Commented:
I dont belive it.. I think i finally found the answer.
after reading this FAQ: http://www.azacamis.com/refer/routerfaqs.htm

It explains how from inside your LAN, you cannot plug in your WAN ip and expect to get forwarded, since it's your routers IP. But, users from outside the LAN would be able to reach it..

I'd test it but its 3:20 am and nobody's online to confirm if this works...

Any ideas? suggestions?
11odsAuthor Commented:

Thanks very much !

Just tried entering my ip from the WAN and it forwards to my linux box.

So the problem was actually made up of several different components,
but the turning point was Drev001's suggestion for a firmware update. which is why its the accepted answer..
I split the points because everyone assisted and i'd like to thank you for it ..... Thanks !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.