Solved

Static NAT and access list for inbound connection with 2 outside ip address

Posted on 2008-10-27
4
1,046 Views
Last Modified: 2012-05-05
i'm trying to configure a router 1811 to allow web traffic to 2 differents webserver.

as you can see on my config, I got one outside ip finishing by 50 and a second one finishing by 51.  the config is working fine with the ip finishing with 50.  I can access my webserver from the net. but when I try accessing my second webserver (inside address 192.168.50.11) through the outside ip finishing with 51 it doesn't work.

i'm not to good with this router configuration stuff and it's already good i got the first one working.  now I don't know what i missing for the second one.

thanks for your help
****-router#wr mem
Building configuration...
[OK]
****-router#sh run
Building configuration...
 
Current configuration : 7573 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ****-router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login AUTHEN_LOGIN local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication ppp AUTHEN_PPP local
aaa authorization console
aaa authorization exec AUTHOR_EXEC local
aaa authorization network AUTHOR_NETWORK local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
no ip domain lookup
ip domain name *****
ip name-server 192.168.50.10
ip inspect name INSPECT_ME cuseeme
ip inspect name INSPECT_ME ftp
ip inspect name INSPECT_ME h323
ip inspect name INSPECT_ME icmp
ip inspect name INSPECT_ME netshow
ip inspect name INSPECT_ME rcmd
ip inspect name INSPECT_ME realaudio
ip inspect name INSPECT_ME rtsp
ip inspect name INSPECT_ME esmtp
ip inspect name INSPECT_ME sqlnet
ip inspect name INSPECT_ME streamworks
ip inspect name INSPECT_ME tftp
ip inspect name INSPECT_ME tcp
ip inspect name INSPECT_ME udp
ip inspect name INSPECT_ME vdolive
no ip ips deny-action ips-interface
ip ips notify SDEE
!
modemcap entry modem:MSC=&FS0=1
!
crypto pki trustpoint TP-self-signed-3038224782
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3038224782
 revocation-check none
 rsakeypair TP-self-signed-3038224782
!
!
crypto pki certificate chain TP-self-signed-3038224782
 certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303338 32323437 3832301E 170D3038 31303235 31353337
  31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30333832
  32343738 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D434 56EFFD2E 93C61148 6F36B9BB 93DD2652 E7C85E3F 088BF86A 381CE13D
  85A0C4E2 EA7DEFA7 2118F305 D4B0E682 6576EB18 2009C5D2 D3150AB1 EB71C289
  BBD42F96 D8315F04 C5AC690D 6491D70C 0E2B82EF 4C2C342F 9D356C52 0AAD3915
  66BF6441 7793E97A 614B010B 75499D6A 6409C789 2A617A32 2E893FE5 3E57B179
  7A030203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
  551D1104 1D301B82 196A626D 622D726F 75746572 2E6A626D 626E6574 2E6C6F63
  616C301F 0603551D 23041830 168014CE 3E74C2CE BE73FD38 18538682 3EABB45C
  24AA3B30 1D060355 1D0E0416 0414CE3E 74C2CEBE 73FD3818 5386823E ABB45C24
  AA3B300D 06092A86 4886F70D 01010405 00038181 009AB700 A6DDE93E 987A81F5
  BAB3ECD8 004021CE 015A2D01 26375EE6 F740B87F 49B8F4D9 531014F3 C332800E
  5450F0F7 BD917B8C 90F15583 EF442A5B D0F3C759 2845605F 74F84602 D958CA8A
  F182C2B8 08E6F85A 45015EC7 2425DFAF 34D8881A 79FFBA43 8E743592 13BA8402
  A0C041CB D7CE558C 6D06392E 3CFC207B E78B4297 27
  quit
username ***** privilege 15 secret 5 *****
username **** secret 5 ******
username **** secret 5 *******
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15
 
!
crypto isakmp client configuration group ******
 key *****
 pool SDM_POOL_1
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0
 description WAN
 ip address **.**.**.50 255.255.255.248
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect INSPECT_ME out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
!
interface FastEthernet0.1
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
!
ip local pool SDM_POOL_1 192.168.50.50 192.168.50.60
ip classless
ip route 0.0.0.0 0.0.0.0 **.**.**.49
!
!
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.50.10 25 **.**.**.50 25 extendable
ip nat inside source static tcp 192.168.50.10 80 **.**.**.50 80 extendable
ip nat inside source static tcp 192.168.50.10 110 **.**.**.50 110 extendable
ip nat inside source static tcp 192.168.50.10 443 **.**.**.50 443 extendable
ip nat inside source static tcp 192.168.50.11 80 **.**.**.51 80 extendable
ip nat inside source static tcp 192.168.50.11 443 **.**.**.51 443 extendable
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 100 remark NAT all other traffic
access-list 100 remark SDM_ACL Category=16
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip any any log
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   ip any host 192.168.50.50
access-list 101 deny   ip any host 192.168.50.51
access-list 101 deny   ip any host 192.168.50.52
access-list 101 deny   ip any host 192.168.50.53
access-list 101 deny   ip any host 192.168.50.54
access-list 101 deny   ip any host 192.168.50.55
access-list 101 deny   ip any host 192.168.50.56
access-list 101 deny   ip any host 192.168.50.57
access-list 101 deny   ip any host 192.168.50.58
access-list 101 deny   ip any host 192.168.50.59
access-list 101 deny   ip any host 192.168.50.60
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
access-list 110 permit tcp any host **.**.**.50 eq www
access-list 110 permit tcp any host **.**.**.50 eq 443
access-list 110 permit tcp any host **.**.**.50 eq pop3
access-list 110 permit tcp any host **.**.**.50 eq smtp
access-list 110 permit tcp any host **.**.**.51 eq www
access-list 110 permit tcp any host **.**.**.51 eq 443
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
control-plane
!
banner login ^CC Authorized a^C
!
line con 0
 authorization exec AUTHOR_EXEC
 login authentication AUTHEN_LOGIN
 transport output none
line 1
 session-timeout 20
 authorization exec AUTHOR_EXEC
 login authentication AUTHEN_LOGIN
 modem InOut
 modem autoconfigure type modem
 transport input all
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 authorization exec AUTHOR_EXEC
 login authentication AUTHEN_LOGIN
 transport output telnet
line vty 0 4
 access-class 10 in
 authorization exec AUTHOR_EXEC
 login authentication AUTHEN_LOGIN
 transport input telnet ssh
line vty 5 15
 access-class 10 in
 authorization exec AUTHOR_EXEC
 login authentication AUTHEN_LOGIN
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
 
****-router#

Open in new window

0
Comment
Question by:jlock_can
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22821635

Is the .50 ip address the same ip as the outside interface? If so with static nat you cannot do that.
change the .50 to something unique in that range like .52 if available.

harbor235 ;}
0
 

Author Comment

by:jlock_can
ID: 22827654
thanks for the comment, but it doesn't work.

I tried what you said, I remove the static nat finishing by .50 and leave the one finishing .51 and then i tested the connection but it's not working.  also try changing my outside interface to .53 which is also available but that also didn't work.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22831210

How are you testing it? Is the applocation server up, is it's default gateway set? Can you ping something on the internet from the .50 device?

Make the changes and report your config, more info is required

harbor235 ;}
0
 

Accepted Solution

by:
jlock_can earned 0 total points
ID: 22898481
Firewall on the local computer was blocking the connection

thank you
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question