Solved

Cisco 826 Web to server

Posted on 2004-08-11
11
379 Views
Last Modified: 2013-12-14
Hi,

I have a Cisco 826 and i just use it to go on the internet. Now i have my personal website. The configuration at the moment allows only to go from my pc to the internet but not from the internet to my pc
So is it possible to open port 80 sow the can acces my website??

This is my configuration at the moment.

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname azerty
!
enable password azerty
!
username azerty password azerty
!
!
!
!
ip subnet-zero
ip name-server 195.238.2.21
ip name-server 195.238.2.22
!
!
!
!
interface Ethernet0
 ip address 192.168.1.5 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no ip mroute-cache
 load-interval 30
 no keepalive
!
interface ATM0
 no ip address
 no ip directed-broadcast
 load-interval 30
 no atm ilmi-keepalive
 bundle-enable
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 description Cisco 826 TurboLine OFFICE
 ip address 217.136.220.210 255.255.255.192
 no ip directed-broadcast
 ip nat outside
 pvc 0/35
 !
!
ip default-gateway 217.136.220.193
ip nat inside source list 2 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.2 25 interface ATM0.1 25
ip nat inside source static tcp 192.168.1.2 21 interface ATM0.1 21
ip nat inside source static tcp 192.168.1.2 80 interface ATM0.1 80
ip classless
ip route 0.0.0.0 0.0.0.0 217.136.220.193
no ip http server
!
!
vc-class atm Office
  inarp 30
  vbr-nrt 128 128 32
  inarp 30
  oam-pvc manage 30
  oam retry 6 2 10
  encapsulation aal5snap
access-list 1 permit 213.35.60.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
!
line con 0
 logging synchronous
 transport input none
 ip netmask-format decimal
 stopbits 1
line vty 0 4
 access-class 1 in
 exec-timeout 15 0
 login local
 ip netmask-format decimal
!
scheduler max-task-time 5000
end
0
Comment
Question by:jansor
  • 6
  • 4
11 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11771892
Is your web server running on 192.168.1.2?  If so, your static NAT looks good.  You are trying to connect to the Web server using the 217.136.220.210 IP address from outside your network right?
0
 

Author Comment

by:jansor
ID: 11772207
in my webserver are 2 network cards one intern and another for the internet
My intern network is ip 192.168.0.10
My network card for the internet 192.168.1.2 (this is the card where the cisco router is on)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11772799
Okay, the following line "ip nat inside source static tcp 192.168.1.2 80 interface ATM0.1 80" is forwarding HTTP traffic destined to 217.136.220.210 to your web server (192.168.1.2).  This looks good.  From the outside you are using "http://217.136.220.210" right?

Remove the command, ip default-gateway 217.136.220.193:

en
conf t
no ip default-gateway 217.136.220.193

It is not necessary as you have IP routing enabled on the router.  
0
 

Author Comment

by:jansor
ID: 11773488
Yes i am using "http://217.136.220.210" to enter the website (i hope)
so now at the moment my config is as following:

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname azerty
!
enable password azerty
!
username azerty password azerty
!
!
!
!
ip subnet-zero
ip name-server 195.238.2.21
ip name-server 195.238.2.22
!
!
!
!
interface Ethernet0
 ip address 192.168.1.5 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no ip mroute-cache
 load-interval 30
 no keepalive
!
interface ATM0
 no ip address
 no ip directed-broadcast
 load-interval 30
 no atm ilmi-keepalive
 bundle-enable
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 description Cisco 826 TurboLine OFFICE
 ip address 217.136.220.210 255.255.255.192
 no ip directed-broadcast
 ip nat outside
 pvc 0/35
 !
!
no ip default-gateway 217.136.220.193
ip nat inside source list 2 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.2 25 interface ATM0.1 25
ip nat inside source static tcp 192.168.1.2 21 interface ATM0.1 21
ip nat inside source static tcp 192.168.1.2 80 interface ATM0.1 80
ip classless
ip route 0.0.0.0 0.0.0.0 217.136.220.193
no ip http server
!
!
vc-class atm Office
  inarp 30
  vbr-nrt 128 128 32
  inarp 30
  oam-pvc manage 30
  oam retry 6 2 10
  encapsulation aal5snap
access-list 1 permit 213.35.60.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
!
line con 0
 logging synchronous
 transport input none
 ip netmask-format decimal
 stopbits 1
line vty 0 4
 access-class 1 in
 exec-timeout 15 0
 login local
 ip netmask-format decimal
!
scheduler max-task-time 5000
end
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11773673
You might also want to try adding an access-list inbound on your ISP connection explicitly permitting web traffic.  For example:

access-list 101 permit udp any eq 53 any  <--- permit DNS lookups
access-list 101 permit tcp any any established  <--- permit TCP sessions initiated from the inside
access-list 101 permit tcp any any eq 80  <--- permit HTTP traffic to your web server
access-list 101 permit tcp any any eq 25  <--- permit SMTP traffic to your mail server
access-list 101 permit tcp any any eq 21  <--- permit FTP traffic to your FTP server
access-list 101 permit icmp any any echo-reply  <--- permit ICMP return packets

Apply it inbound on your ATM0.1 interface:

interface ATM0.1
ip access-group 101 in
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:jansor
ID: 11773988
Ok i am goiing to test it but it wil be for tomorow
But this is the script then right ??
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname azerty
!
enable password azerty
!
username azerty password azerty
!
!
!
!
ip subnet-zero
ip name-server 195.238.2.21
ip name-server 195.238.2.22
!
!
!
!
interface Ethernet0
 ip address 192.168.1.5 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no ip mroute-cache
 load-interval 30
 no keepalive
!
interface ATM0
 no ip address
 no ip directed-broadcast
 load-interval 30
 no atm ilmi-keepalive
 bundle-enable
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 description Cisco 826 TurboLine OFFICE
 ip address 217.136.220.210 255.255.255.192
 ip access-group 101 in
 no ip directed-broadcast
 ip nat outside
 pvc 0/35
 !
!
no ip default-gateway 217.136.220.193
ip nat inside source list 2 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.2 25 interface ATM0.1 25
ip nat inside source static tcp 192.168.1.2 21 interface ATM0.1 21
ip nat inside source static tcp 192.168.1.2 80 interface ATM0.1 80
ip classless
ip route 0.0.0.0 0.0.0.0 217.136.220.193
no ip http server
!
!
vc-class atm Office
  inarp 30
  vbr-nrt 128 128 32
  inarp 30
  oam-pvc manage 30
  oam retry 6 2 10
  encapsulation aal5snap
access-list 1 permit 213.35.60.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 101 permit udp any eq 53 any  
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq 80  
access-list 101 permit tcp any any eq 25
access-list 101 permit tcp any any eq 21
access-list 101 permit icmp any any echo-reply
!
line con 0
 logging synchronous
 transport input none
 ip netmask-format decimal
 stopbits 1
line vty 0 4
 access-class 1 in
 exec-timeout 15 0
 login local
 ip netmask-format decimal
!
scheduler max-task-time 5000
end
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11774058
Yes, looks good.
0
 

Author Comment

by:jansor
ID: 11784154
Hello,

there is stil a problem when i ping this ip i get the following fault.
Pingen naar 217.136.220.210 met 32 bytes aan gegevens:

Antwoord van 217.136.220.210: Het doelnetwerk is niet bereikbaar.
Antwoord van 217.136.220.210: Het doelnetwerk is niet bereikbaar.
Antwoord van 217.136.220.210: Het doelnetwerk is niet bereikbaar.
Antwoord van 217.136.220.210: Het doelnetwerk is niet bereikbaar.

Ping-statistieken voor 217.136.220.210:
    Pakketten: verzonden = 4, ontvangen = 4, verloren = 0
    (0% verlies).

De gemiddelde tijd voor het uitvoeren van één bewerking in milliseconden:
    Minimum = 0ms, Maximum = 0ms, Gemiddelde = 0ms

also When i try to use IE http://217.136.220.210
i get a time out error or a DNS Fault??
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11784390
You won't be able to ping the address from the outside as you are denying it via the access-list.

Could your ISP possibly be denying inbound HTTP?  Some ISP's don't allow you to run web or other servers.  You may want to check with them as your configuration looks fine.  Does inbound SMTP and FTP work (the other ports you are forwarding)?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 12075818
I believe I've provided the correct configuration...

You can award me the points or otherwise, delete without refunding points.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now