jlock_can
asked on
Static NAT and access list for inbound connection with 2 outside ip address
i'm trying to configure a router 1811 to allow web traffic to 2 differents webserver.
as you can see on my config, I got one outside ip finishing by 50 and a second one finishing by 51. the config is working fine with the ip finishing with 50. I can access my webserver from the net. but when I try accessing my second webserver (inside address 192.168.50.11) through the outside ip finishing with 51 it doesn't work.
i'm not to good with this router configuration stuff and it's already good i got the first one working. now I don't know what i missing for the second one.
thanks for your help
as you can see on my config, I got one outside ip finishing by 50 and a second one finishing by 51. the config is working fine with the ip finishing with 50. I can access my webserver from the net. but when I try accessing my second webserver (inside address 192.168.50.11) through the outside ip finishing with 51 it doesn't work.
i'm not to good with this router configuration stuff and it's already good i got the first one working. now I don't know what i missing for the second one.
thanks for your help
****-router#wr mem
Building configuration...
[OK]
****-router#sh run
Building configuration...
Current configuration : 7573 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ****-router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login AUTHEN_LOGIN local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication ppp AUTHEN_PPP local
aaa authorization console
aaa authorization exec AUTHOR_EXEC local
aaa authorization network AUTHOR_NETWORK local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
no ip domain lookup
ip domain name *****
ip name-server 192.168.50.10
ip inspect name INSPECT_ME cuseeme
ip inspect name INSPECT_ME ftp
ip inspect name INSPECT_ME h323
ip inspect name INSPECT_ME icmp
ip inspect name INSPECT_ME netshow
ip inspect name INSPECT_ME rcmd
ip inspect name INSPECT_ME realaudio
ip inspect name INSPECT_ME rtsp
ip inspect name INSPECT_ME esmtp
ip inspect name INSPECT_ME sqlnet
ip inspect name INSPECT_ME streamworks
ip inspect name INSPECT_ME tftp
ip inspect name INSPECT_ME tcp
ip inspect name INSPECT_ME udp
ip inspect name INSPECT_ME vdolive
no ip ips deny-action ips-interface
ip ips notify SDEE
!
modemcap entry modem:MSC=&FS0=1
!
crypto pki trustpoint TP-self-signed-3038224782
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3038224782
revocation-check none
rsakeypair TP-self-signed-3038224782
!
!
crypto pki certificate chain TP-self-signed-3038224782
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303338 32323437 3832301E 170D3038 31303235 31353337
31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30333832
32343738 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D434 56EFFD2E 93C61148 6F36B9BB 93DD2652 E7C85E3F 088BF86A 381CE13D
85A0C4E2 EA7DEFA7 2118F305 D4B0E682 6576EB18 2009C5D2 D3150AB1 EB71C289
BBD42F96 D8315F04 C5AC690D 6491D70C 0E2B82EF 4C2C342F 9D356C52 0AAD3915
66BF6441 7793E97A 614B010B 75499D6A 6409C789 2A617A32 2E893FE5 3E57B179
7A030203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 196A626D 622D726F 75746572 2E6A626D 626E6574 2E6C6F63
616C301F 0603551D 23041830 168014CE 3E74C2CE BE73FD38 18538682 3EABB45C
24AA3B30 1D060355 1D0E0416 0414CE3E 74C2CEBE 73FD3818 5386823E ABB45C24
AA3B300D 06092A86 4886F70D 01010405 00038181 009AB700 A6DDE93E 987A81F5
BAB3ECD8 004021CE 015A2D01 26375EE6 F740B87F 49B8F4D9 531014F3 C332800E
5450F0F7 BD917B8C 90F15583 EF442A5B D0F3C759 2845605F 74F84602 D958CA8A
F182C2B8 08E6F85A 45015EC7 2425DFAF 34D8881A 79FFBA43 8E743592 13BA8402
A0C041CB D7CE558C 6D06392E 3CFC207B E78B4297 27
quit
username ***** privilege 15 secret 5 *****
username **** secret 5 ******
username **** secret 5 *******
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group ******
key *****
pool SDM_POOL_1
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0
description WAN
ip address **.**.**.50 255.255.255.248
ip access-group 110 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect INSPECT_ME out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet0.1
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
!
ip local pool SDM_POOL_1 192.168.50.50 192.168.50.60
ip classless
ip route 0.0.0.0 0.0.0.0 **.**.**.49
!
!
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.50.10 25 **.**.**.50 25 extendable
ip nat inside source static tcp 192.168.50.10 80 **.**.**.50 80 extendable
ip nat inside source static tcp 192.168.50.10 110 **.**.**.50 110 extendable
ip nat inside source static tcp 192.168.50.10 443 **.**.**.50 443 extendable
ip nat inside source static tcp 192.168.50.11 80 **.**.**.51 80 extendable
ip nat inside source static tcp 192.168.50.11 443 **.**.**.51 443 extendable
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 100 remark NAT all other traffic
access-list 100 remark SDM_ACL Category=16
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip any any log
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip any host 192.168.50.50
access-list 101 deny ip any host 192.168.50.51
access-list 101 deny ip any host 192.168.50.52
access-list 101 deny ip any host 192.168.50.53
access-list 101 deny ip any host 192.168.50.54
access-list 101 deny ip any host 192.168.50.55
access-list 101 deny ip any host 192.168.50.56
access-list 101 deny ip any host 192.168.50.57
access-list 101 deny ip any host 192.168.50.58
access-list 101 deny ip any host 192.168.50.59
access-list 101 deny ip any host 192.168.50.60
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
access-list 110 permit tcp any host **.**.**.50 eq www
access-list 110 permit tcp any host **.**.**.50 eq 443
access-list 110 permit tcp any host **.**.**.50 eq pop3
access-list 110 permit tcp any host **.**.**.50 eq smtp
access-list 110 permit tcp any host **.**.**.51 eq www
access-list 110 permit tcp any host **.**.**.51 eq 443
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
banner login ^CC Authorized a^C
!
line con 0
authorization exec AUTHOR_EXEC
login authentication AUTHEN_LOGIN
transport output none
line 1
session-timeout 20
authorization exec AUTHOR_EXEC
login authentication AUTHEN_LOGIN
modem InOut
modem autoconfigure type modem
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
authorization exec AUTHOR_EXEC
login authentication AUTHEN_LOGIN
transport output telnet
line vty 0 4
access-class 10 in
authorization exec AUTHOR_EXEC
login authentication AUTHEN_LOGIN
transport input telnet ssh
line vty 5 15
access-class 10 in
authorization exec AUTHOR_EXEC
login authentication AUTHEN_LOGIN
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
****-router#
ASKER
thanks for the comment, but it doesn't work.
I tried what you said, I remove the static nat finishing by .50 and leave the one finishing .51 and then i tested the connection but it's not working. also try changing my outside interface to .53 which is also available but that also didn't work.
I tried what you said, I remove the static nat finishing by .50 and leave the one finishing .51 and then i tested the connection but it's not working. also try changing my outside interface to .53 which is also available but that also didn't work.
How are you testing it? Is the applocation server up, is it's default gateway set? Can you ping something on the internet from the .50 device?
Make the changes and report your config, more info is required
harbor235 ;}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is the .50 ip address the same ip as the outside interface? If so with static nat you cannot do that.
change the .50 to something unique in that range like .52 if available.
harbor235 ;}