Solved

Cisco 1720 can't get through NAT to internal web server

Posted on 2006-07-20
3
281 Views
Last Modified: 2010-04-17
Here is some of the config on my router.
From an internal pc I can get to the web server through the internal address (192.168.0.31)
From an internal pc I can't get to the web server by using the external address (x.x.x.34)
From an external pc I can't get to the web server by using the external address.  (x.x.x.34)

I don't know if this is an access list issue or what?

Thanks
-----------------------------------------------------------------------------------------------

interface FastEthernet0
 description connected to Local Network
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 speed auto
 no cdp enable
!
interface Serial0
 bandwidth 1536
 no ip address
 encapsulation frame-relay IETF
 ip tcp adjust-mss 1300
 no fair-queue
 service-module t1 timeslots 1-24
 cdp enable
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address xxx.xxx.xxx.34 255.255.255.252
 ip access-group 115 in
 ip nat outside
 ip inspect outbound out
 frame-relay interface-dlci 509  
 crypto map tracse
!
ip local pool pool 192.168.150.1 192.168.150.254
ip nat inside source route-map dontnat interface Serial0.1 overload
ip nat inside source static tcp 192.168.0.31 80 xxx.xxx.xxx.34 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 out.side.add.33
no ip http server
no ip http secure-server
!
!
access-list 1 permit any
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 permit udp any eq isakmp host xxx.xxx.xxx.103
access-list 110 permit esp any host xxx.xxx.xxx.103
access-list 110 permit tcp any any eq telnet
access-list 110 permit icmp any any
access-list 110 permit gre xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108
access-list 110 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108 eq 1723
access-list 110 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx..108 eq 700
access-list 110 permit udp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108 eq domain
access-list 110 permit icmp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit tcp any host xxx.xxx.xxx.103 eq 1723
access-list 110 permit gre any host xxx.xxx.xxx.103
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq pop3
access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq 1723
access-list 110 permit gre any host xxx.xxx.xxx.108
access-list 115 permit udp any eq isakmp host xxx.xxx.xxx.34
access-list 115 permit esp any host xxx.xxx.xxx.34
access-list 115 permit tcp any any eq telnet
access-list 115 permit icmp any any
access-list 115 permit gre xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51
access-list 115 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq 1723
access-list 115 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq 700
access-list 115 permit udp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq domain
access-list 115 permit icmp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit tcp any host xxx.xxx.xxx.34 eq 1723
access-list 115 permit gre any host xxx.xxx.xxx.34
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq smtp
access-list 115 permit udp any host xxx.xxx.xxx.52 eq 25
access-list 115 permit udp any host xxx.xxx.xxx.52 eq 110
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq pop3
access-list 115 permit tcp any host xxx.xxx.xxx.50 eq 5566
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5567
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5005
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5004
access-list 115 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq 1723
access-list 115 permit gre any host xxx.xxx.xxx.52
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq 3389
access-list 115 permit tcp any any
access-list 115 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 115 permit tcp any host 192.168.0.31 eq www
access-list 115 permit udp any host 192.168.0.31 eq 80
access-list 115 permit udp any host xxx.xxx.xxx.34 eq 80
!
route-map dontnat permit 10
 match ip address 101
0
Comment
Question by:mkubiatowicz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 10

Assisted Solution

by:naveedb
naveedb earned 250 total points
ID: 17151125
Try this;

no ip nat inside source static tcp 192.168.0.31 80 xxx.xxx.xxx.34 80 extendable
ip nat inside source static tcp 192.168.0.31 80 interface Serial0.1 80 extendable

If it doesn't work, reverse them and post output from

sh ip nat tran

sh access-list
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17157918
>From an internal pc I can't get to the web server by using the external address (x.x.x.34)
That is correct, and this is by design and normal working conditions.
You don't have a choice except to have internal users connect to the private IP and external users connect to the external IP.

>From an external pc I can't get to the web server by using the external address.  (x.x.x.34)
This is a different story...
Did you run "clear ip nat trans * " on the router?
Can you post result of "C:/>route print" from the www server?
0
 

Author Comment

by:mkubiatowicz
ID: 17167480
It is working now from the outside address.

I don't know why, I didn't make any changes.  Thanks for the explination on the internal pc not working.  I'll split the points.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question