[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Cisco router to allow access to internal web and mail servers

Posted on 2007-07-29
3
Medium Priority
?
1,194 Views
Last Modified: 2008-01-09
I am trying to configure my cisco 1811 router to allow public internet users to access my internal web and mail servers.  My network is currently illustrated below:

Business Cable Modem=> Cisco Router=> Internal LAN

Public IP address of cable modem is 74.95.83.214.  The insides inside interface of the cable modem is 192.168.1.1.
 
The cisco router Fastethernet 0 interface is 192.168.1.2.  

My current LAN is using 10.10.10.1 subnet PAT'ing to the 192.168.1.2 on the cisco router.

My web server is 10.10.10.12 and mail is 10.10.10.10.  

Do i create a static map like ip nat inside source static tcp 10.10.10.12 80 192.168.1.2 80 extendable?  I actually tried this but i still couldn't see my website.
Not sure where to go from here....
My config is below.  Any help would be great.  Thanks.




Current configuration : 11083 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname  XXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.10
ip dhcp excluded-address 10.10.10.11
ip dhcp excluded-address 10.10.10.12
ip dhcp excluded-address 10.10.10.13
ip dhcp excluded-address 10.10.10.14
ip dhcp excluded-address 10.10.10.15
ip dhcp excluded-address 10.10.10.16
ip dhcp excluded-address 10.10.10.17
ip dhcp excluded-address 10.10.10.18
ip dhcp excluded-address 10.10.10.19
ip dhcp excluded-address 10.10.10.20
ip dhcp excluded-address 10.10.10.129
ip dhcp excluded-address 10.10.10.160
ip dhcp excluded-address 10.10.10.161
ip dhcp excluded-address 10.10.10.162
ip dhcp excluded-address 10.10.10.163
ip dhcp excluded-address 10.10.10.164
ip dhcp excluded-address 10.10.10.165
ip dhcp excluded-address 10.10.10.166
ip dhcp excluded-address 10.10.10.167
ip dhcp excluded-address 10.10.10.168
ip dhcp excluded-address 10.10.10.169
ip dhcp excluded-address 10.10.10.170
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
ip dhcp pool 1800-ISR
   import all
   network 10.10.10.128 255.255.255.128
   default-router 10.10.10.1
   dns-server 68.87.71.226
!
!
ip domain name nextblueprint.com
ip name-server 68.87.73.242
ip name-server 68.87.71.226
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
crypto pki trustpoint TP-self-signed-2450939490
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2450939490
 revocation-check none
 rsakeypair TP-self-signed-2450939490
!
username ironbridge privilege 15 secret 5 $1$ff9D$Lo.vVL88uLrbgz3k8Be6m.
username XXXXXXX password 0 XXXXXX
!

crypto isakmp policy 3
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group XXXXXXX
 key XXXXXX
 dns 10.10.10.10 68.87.73.242
 wins 10.10.10.10
 domain nextblueprint.com
 pool ippool
!
!
crypto ipsec transform-set ironbridgeset esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set ironbridgeset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface FastEthernet0
 description $FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.2 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!
interface FastEthernet1
 description $FW_OUTSIDE$$ETH-LAN$
 no ip address
 ip verify unicast reverse-path
 ip nbar protocol-discovery
 ip inspect SDM_HIGH out
 shutdown
 duplex auto
 speed auto
 service-policy input sdmappfwp2p_SDM_HIGH
 service-policy output sdmappfwp2p_SDM_HIGH
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 key 1 size 40bit 0 XXXXXXX transmit-key
 encryption vlan 1 mode wep mandatory
 !
 ssid ironbridge
    vlan 1
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 shutdown
 !
 encryption vlan 1 key 1 size 40bit 0 XXXXXX transmit-key
 encryption vlan 1 mode wep mandatory
 !
 ssid ironbridge
    vlan 1
    authentication open
    guest-mode
 !
 speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.128
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 encapsulation slip
!
interface BVI1
 ip address 10.10.10.129 255.255.255.128
 ip nat inside
 ip virtual-reassembly
!
ip local pool ippool 10.10.0.1 10.10.0.10
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool pool1 192.168.1.3 192.168.1.100 netmask 255.255.255.0
ip nat pool pool2 192.168.1.101 192.168.1.200 netmask 255.255.255.0
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
ip nat inside source static tcp 10.10.10.12 8080 192.168.1.2 8080 extendable
!
logging trap warnings
logging 10.10.10.10
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.128 0.0.0.127
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

0
Comment
Question by:lewylupo
  • 2
3 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 19590297
The configuration entry you think is correct but then you're still natting one private ip to another :-(

What you should be doing is, to enable the similar configuration on the cable modem since that is facing internet. Now I'm not sure the capability of the cable modem, whether you could do or not.

But how usually this type of setup is handled is to put the cable modem in bridge mode and then have the public ip directly come to the cisco router. It would be easy then since all the natting/routing would be done by the cisco router itself.

Check out if cable modem can be configured or else you'll have to go with what I mentioned above.

Cheers,
Rajesh
0
 

Author Comment

by:lewylupo
ID: 19596031
yea unfortuantely the cable modem doesn't have the bridging capability so i'll just NAT private ip to another....oh well.  Thanks for the help, i have it working now.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19597312
ok. cool.

Cheers,
Rajesh
0

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question