mkubiatowicz
asked on
Cisco 1720 can't get through NAT to internal web server
Here is some of the config on my router.
From an internal pc I can get to the web server through the internal address (192.168.0.31)
From an internal pc I can't get to the web server by using the external address (x.x.x.34)
From an external pc I can't get to the web server by using the external address. (x.x.x.34)
I don't know if this is an access list issue or what?
Thanks
--------------------------
interface FastEthernet0
description connected to Local Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
speed auto
no cdp enable
!
interface Serial0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
ip tcp adjust-mss 1300
no fair-queue
service-module t1 timeslots 1-24
cdp enable
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address xxx.xxx.xxx.34 255.255.255.252
ip access-group 115 in
ip nat outside
ip inspect outbound out
frame-relay interface-dlci 509
crypto map tracse
!
ip local pool pool 192.168.150.1 192.168.150.254
ip nat inside source route-map dontnat interface Serial0.1 overload
ip nat inside source static tcp 192.168.0.31 80 xxx.xxx.xxx.34 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 out.side.add.33
no ip http server
no ip http secure-server
!
!
access-list 1 permit any
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 permit udp any eq isakmp host xxx.xxx.xxx.103
access-list 110 permit esp any host xxx.xxx.xxx.103
access-list 110 permit tcp any any eq telnet
access-list 110 permit icmp any any
access-list 110 permit gre xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108
access-list 110 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108 eq 1723
access-list 110 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx..108 eq 700
access-list 110 permit udp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108 eq domain
access-list 110 permit icmp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit tcp any host xxx.xxx.xxx.103 eq 1723
access-list 110 permit gre any host xxx.xxx.xxx.103
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq pop3
access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq 1723
access-list 110 permit gre any host xxx.xxx.xxx.108
access-list 115 permit udp any eq isakmp host xxx.xxx.xxx.34
access-list 115 permit esp any host xxx.xxx.xxx.34
access-list 115 permit tcp any any eq telnet
access-list 115 permit icmp any any
access-list 115 permit gre xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51
access-list 115 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq 1723
access-list 115 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq 700
access-list 115 permit udp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq domain
access-list 115 permit icmp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit tcp any host xxx.xxx.xxx.34 eq 1723
access-list 115 permit gre any host xxx.xxx.xxx.34
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq smtp
access-list 115 permit udp any host xxx.xxx.xxx.52 eq 25
access-list 115 permit udp any host xxx.xxx.xxx.52 eq 110
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq pop3
access-list 115 permit tcp any host xxx.xxx.xxx.50 eq 5566
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5567
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5005
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5004
access-list 115 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq 1723
access-list 115 permit gre any host xxx.xxx.xxx.52
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq 3389
access-list 115 permit tcp any any
access-list 115 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 115 permit tcp any host 192.168.0.31 eq www
access-list 115 permit udp any host 192.168.0.31 eq 80
access-list 115 permit udp any host xxx.xxx.xxx.34 eq 80
!
route-map dontnat permit 10
match ip address 101
From an internal pc I can get to the web server through the internal address (192.168.0.31)
From an internal pc I can't get to the web server by using the external address (x.x.x.34)
From an external pc I can't get to the web server by using the external address. (x.x.x.34)
I don't know if this is an access list issue or what?
Thanks
--------------------------
interface FastEthernet0
description connected to Local Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
speed auto
no cdp enable
!
interface Serial0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
ip tcp adjust-mss 1300
no fair-queue
service-module t1 timeslots 1-24
cdp enable
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address xxx.xxx.xxx.34 255.255.255.252
ip access-group 115 in
ip nat outside
ip inspect outbound out
frame-relay interface-dlci 509
crypto map tracse
!
ip local pool pool 192.168.150.1 192.168.150.254
ip nat inside source route-map dontnat interface Serial0.1 overload
ip nat inside source static tcp 192.168.0.31 80 xxx.xxx.xxx.34 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 out.side.add.33
no ip http server
no ip http secure-server
!
!
access-list 1 permit any
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 permit udp any eq isakmp host xxx.xxx.xxx.103
access-list 110 permit esp any host xxx.xxx.xxx.103
access-list 110 permit tcp any any eq telnet
access-list 110 permit icmp any any
access-list 110 permit gre xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108
access-list 110 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108 eq 1723
access-list 110 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx..108 eq 700
access-list 110 permit udp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108 eq domain
access-list 110 permit icmp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit tcp any host xxx.xxx.xxx.103 eq 1723
access-list 110 permit gre any host xxx.xxx.xxx.103
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq pop3
access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq 1723
access-list 110 permit gre any host xxx.xxx.xxx.108
access-list 115 permit udp any eq isakmp host xxx.xxx.xxx.34
access-list 115 permit esp any host xxx.xxx.xxx.34
access-list 115 permit tcp any any eq telnet
access-list 115 permit icmp any any
access-list 115 permit gre xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51
access-list 115 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq 1723
access-list 115 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq 700
access-list 115 permit udp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq domain
access-list 115 permit icmp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit tcp any host xxx.xxx.xxx.34 eq 1723
access-list 115 permit gre any host xxx.xxx.xxx.34
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq smtp
access-list 115 permit udp any host xxx.xxx.xxx.52 eq 25
access-list 115 permit udp any host xxx.xxx.xxx.52 eq 110
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq pop3
access-list 115 permit tcp any host xxx.xxx.xxx.50 eq 5566
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5567
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5005
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5004
access-list 115 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq 1723
access-list 115 permit gre any host xxx.xxx.xxx.52
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq 3389
access-list 115 permit tcp any any
access-list 115 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 115 permit tcp any host 192.168.0.31 eq www
access-list 115 permit udp any host 192.168.0.31 eq 80
access-list 115 permit udp any host xxx.xxx.xxx.34 eq 80
!
route-map dontnat permit 10
match ip address 101
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't know why, I didn't make any changes. Thanks for the explination on the internal pc not working. I'll split the points.