Dan560
asked on
Setup Web access - port forwarding
Hi
I had a go at setting up server with e-mail,web and secure (https) access. I had this working for a while, but not internally (under my LAN) however thats just one problem at the moment. At this time I want to setup access across the web. So I was messing around trying to configure local access to web server using the FQDN and I ended up changing the config so that I no one can access my site across the web. SO here is my config, can anyone please help?
I am using a cisco 837
I had a go at setting up server with e-mail,web and secure (https) access. I had this working for a while, but not internally (under my LAN) however thats just one problem at the moment. At this time I want to setup access across the web. So I was messing around trying to configure local access to web server using the FQDN and I ended up changing the config so that I no one can access my site across the web. SO here is my config, can anyone please help?
I am using a cisco 837
Building configuration...
Current configuration : 6235 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$2F1v$Eesr6pxyG3x/Ab/7ZTaZL.
enable password password
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.13.1.1 10.13.1.49
ip dhcp excluded-address 10.13.1.101 10.13.1.254
!
ip dhcp pool default
import all
network 10.13.1.0 255.255.255.0
dns-server 62.24.128.17 62.23.128.18
default-router 10.13.1.1
!
!
ip name-server 62.24.128.18
ip name-server 62.24.128.17
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 90.152.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to90.152.x.x
set peer 90.152.x.x
set transform-set ESP-3DES-SHA
match address 102
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 10.13.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address 62.24.x.x 255.255.255.252
ip access-group 101 in
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname USERNAME@ISP
ppp chap password 0 PASSWORD@ISP
ppp pap sent-username USERNAME@ISP password 0 PASSWORD
crypto map SDM_CMAP_1
!
ip nat inside source static tcp 10.13.1.10 8443 interface Dialer0 8443
ip nat inside source static tcp 10.13.1.10 80 interface Dialer0 80
ip nat inside source static tcp 10.13.1.10 25 interface Dialer0 25
ip nat inside source static tcp 10.13.1.10 443 interface Dialer0 443
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.13.1.10 80 62.24.x.x 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http secure-server
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.13.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.13.1.10
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 10.13.1.10 eq domain any
access-list 100 deny ip 62.24.236.60 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq www host 62.24.x.x eq www
access-list 101 permit tcp any host 62.24.x.x eq smtp
access-list 101 permit tcp any eq smtp host 62.24.x.x eq smtp
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.13.1.0 0.0.0.255
access-list 101 permit udp host 90.152.x.x host 62.24.x.x eq non500-isakmp
access-list 101 permit udp host 90.152.x.x host 62.24.x.x eq isakmp
access-list 101 permit esp host 90.152.x.x host 62.24.x.x
access-list 101 permit ahp host 90.152.x.x host 62.24.x.x
access-list 101 permit icmp any host 62.24.x.x
access-list 101 permit icmp any host 62.24.x.x echo-reply
access-list 101 permit icmp any host 62.24.x.x time-exceeded
access-list 101 deny ip 10.13.1.0 0.0.0.255 any
access-list 101 permit icmp any host 62.24.x.x unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 permit tcp any host 62.24.x.x eq www
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 10.13.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password password
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end
ASKER
Hi JFrederick29:
I managed to reconfiure my access-list and it all seems to be working ok, thanks
Do you have any Ideas about internal users accessing our website by its FQDM? At the moment we can only get access to it by entering http://10.13.1.10 instead of http://mycompany.com. When we enter http://mycompany.com it connects straight to the 837's web interface and not to the web server.
Heres the new config
I managed to reconfiure my access-list and it all seems to be working ok, thanks
Do you have any Ideas about internal users accessing our website by its FQDM? At the moment we can only get access to it by entering http://10.13.1.10 instead of http://mycompany.com. When we enter http://mycompany.com it connects straight to the 837's web interface and not to the web server.
Heres the new config
Building configuration...
Current configuration : 6122 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$2F1v$Eesr6pxyG3x/Ab/7ZTaZL.
enable password password
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.13.1.1 10.13.1.49
ip dhcp excluded-address 10.13.1.101 10.13.1.254
!
ip dhcp pool default
import all
network 10.13.1.0 255.255.255.0
dns-server 62.24.128.17 62.23.128.18
default-router 10.13.1.1
!
!
ip name-server 62.24.128.17
ip name-server 62.24.128.18
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 90.152.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to90.152.x.x
set peer 90.152.x.x
set transform-set ESP-3DES-SHA
match address 102
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 10.13.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address 62.24.x.x 255.255.255.252
ip access-group 101 in
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname User@ISP
ppp chap password 0 Password
ppp pap sent-username user@isp password 0 password
crypto map SDM_CMAP_1
!
ip nat inside source static tcp 10.13.1.10 443 interface Dialer0 443
ip nat inside source static tcp 10.13.1.10 80 interface Dialer0 80
ip nat inside source static tcp 10.13.1.10 25 interface Dialer0 25
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http secure-server
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.13.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 62.24.236.60 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.13.1.0 0.0.0.255
access-list 101 permit udp host 90.152.x.x host 62.24.x.x eq non500-isakmp
access-list 101 permit udp host 90.152.x.x host 62.24.x.x eq isakmp
access-list 101 permit esp host 90.152.x.x host 62.24.x.x
access-list 101 permit ahp host 90.152.x.x host 62.24.x.x
access-list 101 permit tcp any host 62.24.x.x eq www
access-list 101 permit tcp any host 62.24.x.x eq smtp
access-list 101 permit tcp any host 62.24.x.x eq 443
access-list 101 permit udp host 62.24.128.18 eq domain host 62.24.x.x
access-list 101 permit udp host 62.24.128.17 eq domain host 62.24.x.x
access-list 101 permit icmp any host 62.24.x.x
access-list 101 permit icmp any host 62.24.x.x echo-reply
access-list 101 permit tcp any eq smtp host 62.24.x.x eq smtp
access-list 101 permit icmp any host 62.24.x.x time-exceeded
access-list 101 deny ip 10.13.1.0 0.0.0.255 any
access-list 101 permit icmp any host 62.24.x.x unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.13.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 10.13.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password password
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end
Yeah, that is normal operation with NAT on a Cisco router. There are a few ways to get around this. You can add an entry to all your internal PC's hosts file for your website to resolve it to the internal IP address. Alternatively, if you have internal DNS servers, create a zone that matches your domain and create a record for www using the internal IP address. There is a way to use the NAT Virtual Interface on the router to also get around this but I have never tried it. If you are interested in that method, let me know and I can find the link.
ASKER
right I see, ok so option one , how do I edit the host files on the users PC?
and option two, yes the server is running DNS, would this mean I would have to add the server as the primary DNS server on the router instead of the ones my ISP gave me? Would my server then handle my DNS ?
and option two, yes the server is running DNS, would this mean I would have to add the server as the primary DNS server on the router instead of the ones my ISP gave me? Would my server then handle my DNS ?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Try this:
conf t
ip access-list ext 101
no deny ip any any log
permit tcp any host 62.24.x.x eq www
deny ip any any log