Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco 2801 SDM access & static NAT problem

Posted on 2006-10-23
6
Medium Priority
?
805 Views
Last Modified: 2007-12-19
Hi everyone!

I have a problem.. I have a Cisco 2801 router running ADSL with PAT and one static NAT translation. In other words, I have two public IP addresses(/30) on the same dialer1 interface. I use one for my internet access PAT (A.B.C.D/30) and the other for incoming HTTP, HTTPS, SMTP traffic (A.B.C.E/30) . Natted to my internal subnet 192.168.0.X/24 web server on 192.168.0.100...

Everything works fine, but my customer has a requirement to view(read only) the routers configuration via SDM because they dont know IOS. I can enable SDM read only access without trouble. However, when I enable SDM the HTTP, HTTPS, SMTP nat on public ip address A.B.C.E stops working because the router is now using port 80 and 443 on the dialer interface.

is there anyway I can enable SDM on just the fastethernet interfaces or something? Similar to a PIX??

does anyone out there think SDM is as bad as I do?? Seems to be nothing but trouble! I have customers who use SDM and the amount of commands it issues to make a simple change is amazing. Cant be right.. :-Z

We should all stick to good old command line :).

Thanks in advance

Matt
0
Comment
Question by:needsy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17788708
Can't do on a router!

On the other hand when you have Static NAT for the service, how does it stop your http/https connections ? It shouldn't....

When you enable 'ip http server' the router will start listening for web traffic on the interface assigned ip address. The public ip you are using won't be assigned to the interface so I don't see why it doesn't work.

Your config should be this;

int dialer0
ip address <PublicIP-1> <Mask>
ip nat outside

int fa0/0
ip nat outside

ip nat inside source list 1 int dialer0 overload

access-list 1 permit...... (Your internal network)

FOR PUBLIC HTTP/HTTPS ACCESS TO THE WEBSERVER, THE STATIC NAT SHOULD BE THIS;

ip nat inside source static tcp <LocalIP> 80 <PublicIP-1> 80
ip nat inside source static tcp <LocalIP> 443 <PublicIP-1> 443

access-list =>To allow these traffic from outside world...''

If this is how it is setup, you won't have any problem. I believe (A hunch) is that you have assigned both the public ip addresses on the dialer interface ?

Cheers,
Rajesh

0
 
LVL 1

Author Comment

by:needsy
ID: 17788713
Think I've answered my own question!! :). I'll change the port that SHTTP SDM uses to 10443 or something...
I'll keep you all posted.

Matt
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17788725
Ahh typo;

Read this >>int fa0/0
ip nat outside

as;

>>int fa0/0
ip nat inside


&
this >>ip nat inside source static tcp <LocalIP> 80 <PublicIP-1> 80
ip nat inside source static tcp <LocalIP> 443 <PublicIP-1> 443


as

p nat inside source static tcp <LocalIP> 80 <PublicIP-2> 80
ip nat inside source static tcp <LocalIP> 443 <PublicIP-2> 443

Cheers,
Rajesh
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17788750
Changing the port is good on the security point. But still you shouldn't hit this problem at all in the first place even if you run it on port 80

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:needsy
ID: 17794374
Thanks for the info Rajesh! I see what your saying... But I havent got both of the public IP's on the dialer. It's set up as you were saying above.

only my static nat statement looks like this..

ip nat inside source static <LocalIP> <PublicIP-2>

So I should just be natting all ports from <PublicIP-2> to <LocalIP> right??. Then I just rely on my acl on the dialer to lock it down... Which works fine. Until I enable the dreaded SDM... :)

Anyway, I'll give it a go tomorrow. I'll let you know what happens. If I still have issues I'll paste the config.
Thanks again

Matt

0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 1500 total points
ID: 17795774
Yeah, try it and when you hit the problem again, do this just to make sure;

clear ip nat translations  

Cheers,
Rajesh
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question