Solved

Cisco 1720 can't get through NAT to internal web server

Posted on 2006-07-20
3
275 Views
Last Modified: 2010-04-17
Here is some of the config on my router.
From an internal pc I can get to the web server through the internal address (192.168.0.31)
From an internal pc I can't get to the web server by using the external address (x.x.x.34)
From an external pc I can't get to the web server by using the external address.  (x.x.x.34)

I don't know if this is an access list issue or what?

Thanks
-----------------------------------------------------------------------------------------------

interface FastEthernet0
 description connected to Local Network
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 speed auto
 no cdp enable
!
interface Serial0
 bandwidth 1536
 no ip address
 encapsulation frame-relay IETF
 ip tcp adjust-mss 1300
 no fair-queue
 service-module t1 timeslots 1-24
 cdp enable
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address xxx.xxx.xxx.34 255.255.255.252
 ip access-group 115 in
 ip nat outside
 ip inspect outbound out
 frame-relay interface-dlci 509  
 crypto map tracse
!
ip local pool pool 192.168.150.1 192.168.150.254
ip nat inside source route-map dontnat interface Serial0.1 overload
ip nat inside source static tcp 192.168.0.31 80 xxx.xxx.xxx.34 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 out.side.add.33
no ip http server
no ip http secure-server
!
!
access-list 1 permit any
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 permit udp any eq isakmp host xxx.xxx.xxx.103
access-list 110 permit esp any host xxx.xxx.xxx.103
access-list 110 permit tcp any any eq telnet
access-list 110 permit icmp any any
access-list 110 permit gre xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108
access-list 110 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108 eq 1723
access-list 110 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx..108 eq 700
access-list 110 permit udp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108 eq domain
access-list 110 permit icmp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.108
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit tcp any host xxx.xxx.xxx.103 eq 1723
access-list 110 permit gre any host xxx.xxx.xxx.103
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq smtp
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq pop3
access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit tcp any host xxx.xxx.xxx.108 eq 1723
access-list 110 permit gre any host xxx.xxx.xxx.108
access-list 115 permit udp any eq isakmp host xxx.xxx.xxx.34
access-list 115 permit esp any host xxx.xxx.xxx.34
access-list 115 permit tcp any any eq telnet
access-list 115 permit icmp any any
access-list 115 permit gre xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51
access-list 115 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq 1723
access-list 115 permit tcp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq 700
access-list 115 permit udp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51 eq domain
access-list 115 permit icmp xxx.xxx.xxx.0 0.0.0.255 host xxx.xxx.xxx.51
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.150.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.250.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit tcp any host xxx.xxx.xxx.34 eq 1723
access-list 115 permit gre any host xxx.xxx.xxx.34
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq smtp
access-list 115 permit udp any host xxx.xxx.xxx.52 eq 25
access-list 115 permit udp any host xxx.xxx.xxx.52 eq 110
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq pop3
access-list 115 permit tcp any host xxx.xxx.xxx.50 eq 5566
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5567
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5005
access-list 115 permit udp any host xxx.xxx.xxx.50 eq 5004
access-list 115 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq 1723
access-list 115 permit gre any host xxx.xxx.xxx.52
access-list 115 permit tcp any host xxx.xxx.xxx.52 eq 3389
access-list 115 permit tcp any any
access-list 115 permit tcp any host xxx.xxx.xxx.34 eq www
access-list 115 permit tcp any host 192.168.0.31 eq www
access-list 115 permit udp any host 192.168.0.31 eq 80
access-list 115 permit udp any host xxx.xxx.xxx.34 eq 80
!
route-map dontnat permit 10
 match ip address 101
0
Comment
Question by:mkubiatowicz
3 Comments
 
LVL 10

Assisted Solution

by:naveedb
naveedb earned 250 total points
Comment Utility
Try this;

no ip nat inside source static tcp 192.168.0.31 80 xxx.xxx.xxx.34 80 extendable
ip nat inside source static tcp 192.168.0.31 80 interface Serial0.1 80 extendable

If it doesn't work, reverse them and post output from

sh ip nat tran

sh access-list
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
>From an internal pc I can't get to the web server by using the external address (x.x.x.34)
That is correct, and this is by design and normal working conditions.
You don't have a choice except to have internal users connect to the private IP and external users connect to the external IP.

>From an external pc I can't get to the web server by using the external address.  (x.x.x.34)
This is a different story...
Did you run "clear ip nat trans * " on the router?
Can you post result of "C:/>route print" from the www server?
0
 

Author Comment

by:mkubiatowicz
Comment Utility
It is working now from the outside address.

I don't know why, I didn't make any changes.  Thanks for the explination on the internal pc not working.  I'll split the points.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now