Solved

Static NAT and access list for inbound connection with 2 outside ip address

Posted on 2008-10-27
4
1,031 Views
Last Modified: 2012-05-05
i'm trying to configure a router 1811 to allow web traffic to 2 differents webserver.

as you can see on my config, I got one outside ip finishing by 50 and a second one finishing by 51.  the config is working fine with the ip finishing with 50.  I can access my webserver from the net. but when I try accessing my second webserver (inside address 192.168.50.11) through the outside ip finishing with 51 it doesn't work.

i'm not to good with this router configuration stuff and it's already good i got the first one working.  now I don't know what i missing for the second one.

thanks for your help
****-router#wr mem

Building configuration...

[OK]

****-router#sh run

Building configuration...
 

Current configuration : 7573 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname ****-router

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096 debugging

logging console critical

enable secret 5 *****

!

aaa new-model

!

!

aaa authentication login AUTHEN_LOGIN local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication ppp AUTHEN_PPP local

aaa authorization console

aaa authorization exec AUTHOR_EXEC local

aaa authorization network AUTHOR_NETWORK local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

clock timezone EST -5

clock summer-time EDT recurring

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

ip cef

no ip dhcp use vrf connected

!

!

no ip domain lookup

ip domain name *****

ip name-server 192.168.50.10

ip inspect name INSPECT_ME cuseeme

ip inspect name INSPECT_ME ftp

ip inspect name INSPECT_ME h323

ip inspect name INSPECT_ME icmp

ip inspect name INSPECT_ME netshow

ip inspect name INSPECT_ME rcmd

ip inspect name INSPECT_ME realaudio

ip inspect name INSPECT_ME rtsp

ip inspect name INSPECT_ME esmtp

ip inspect name INSPECT_ME sqlnet

ip inspect name INSPECT_ME streamworks

ip inspect name INSPECT_ME tftp

ip inspect name INSPECT_ME tcp

ip inspect name INSPECT_ME udp

ip inspect name INSPECT_ME vdolive

no ip ips deny-action ips-interface

ip ips notify SDEE

!

modemcap entry modem:MSC=&FS0=1

!

crypto pki trustpoint TP-self-signed-3038224782

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3038224782

 revocation-check none

 rsakeypair TP-self-signed-3038224782

!

!

crypto pki certificate chain TP-self-signed-3038224782

 certificate self-signed 01

  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33303338 32323437 3832301E 170D3038 31303235 31353337

  31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30333832

  32343738 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D434 56EFFD2E 93C61148 6F36B9BB 93DD2652 E7C85E3F 088BF86A 381CE13D

  85A0C4E2 EA7DEFA7 2118F305 D4B0E682 6576EB18 2009C5D2 D3150AB1 EB71C289

  BBD42F96 D8315F04 C5AC690D 6491D70C 0E2B82EF 4C2C342F 9D356C52 0AAD3915

  66BF6441 7793E97A 614B010B 75499D6A 6409C789 2A617A32 2E893FE5 3E57B179

  7A030203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

  551D1104 1D301B82 196A626D 622D726F 75746572 2E6A626D 626E6574 2E6C6F63

  616C301F 0603551D 23041830 168014CE 3E74C2CE BE73FD38 18538682 3EABB45C

  24AA3B30 1D060355 1D0E0416 0414CE3E 74C2CEBE 73FD3818 5386823E ABB45C24

  AA3B300D 06092A86 4886F70D 01010405 00038181 009AB700 A6DDE93E 987A81F5

  BAB3ECD8 004021CE 015A2D01 26375EE6 F740B87F 49B8F4D9 531014F3 C332800E

  5450F0F7 BD917B8C 90F15583 EF442A5B D0F3C759 2845605F 74F84602 D958CA8A

  F182C2B8 08E6F85A 45015EC7 2425DFAF 34D8881A 79FFBA43 8E743592 13BA8402

  A0C041CB D7CE558C 6D06392E 3CFC207B E78B4297 27

  quit

username ***** privilege 15 secret 5 *****

username **** secret 5 ******

username **** secret 5 *******

!

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp xauth timeout 15
 

!

crypto isakmp client configuration group ******

 key *****

 pool SDM_POOL_1

 netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

 set transform-set ESP-3DES-SHA

 reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface FastEthernet0

 description WAN

 ip address **.**.**.50 255.255.255.248

 ip access-group 110 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip inspect INSPECT_ME out

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no cdp enable

 crypto map SDM_CMAP_1

!

interface FastEthernet0.1

!

interface FastEthernet1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

 ip address 192.168.50.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Async1

 no ip address

!

ip local pool SDM_POOL_1 192.168.50.50 192.168.50.60

ip classless

ip route 0.0.0.0 0.0.0.0 **.**.**.49

!

!

ip http server

ip http access-class 10

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

ip nat inside source static tcp 192.168.50.10 25 **.**.**.50 25 extendable

ip nat inside source static tcp 192.168.50.10 80 **.**.**.50 80 extendable

ip nat inside source static tcp 192.168.50.10 110 **.**.**.50 110 extendable

ip nat inside source static tcp 192.168.50.10 443 **.**.**.50 443 extendable

ip nat inside source static tcp 192.168.50.11 80 **.**.**.51 80 extendable

ip nat inside source static tcp 192.168.50.11 443 **.**.**.51 443 extendable

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.50.0 0.0.0.255

access-list 100 remark NAT all other traffic

access-list 100 remark SDM_ACL Category=16

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 deny   ip any any log

access-list 101 remark SDM_ACL Category=2

access-list 101 deny   ip any host 192.168.50.50

access-list 101 deny   ip any host 192.168.50.51

access-list 101 deny   ip any host 192.168.50.52

access-list 101 deny   ip any host 192.168.50.53

access-list 101 deny   ip any host 192.168.50.54

access-list 101 deny   ip any host 192.168.50.55

access-list 101 deny   ip any host 192.168.50.56

access-list 101 deny   ip any host 192.168.50.57

access-list 101 deny   ip any host 192.168.50.58

access-list 101 deny   ip any host 192.168.50.59

access-list 101 deny   ip any host 192.168.50.60

access-list 101 permit ip 192.168.50.0 0.0.0.255 any

access-list 110 permit tcp any host **.**.**.50 eq www

access-list 110 permit tcp any host **.**.**.50 eq 443

access-list 110 permit tcp any host **.**.**.50 eq pop3

access-list 110 permit tcp any host **.**.**.50 eq smtp

access-list 110 permit tcp any host **.**.**.51 eq www

access-list 110 permit tcp any host **.**.**.51 eq 443

!

route-map SDM_RMAP_1 permit 1

 match ip address 101

!

!

!

!

control-plane

!

banner login ^CC Authorized a^C

!

line con 0

 authorization exec AUTHOR_EXEC

 login authentication AUTHEN_LOGIN

 transport output none

line 1

 session-timeout 20

 authorization exec AUTHOR_EXEC

 login authentication AUTHEN_LOGIN

 modem InOut

 modem autoconfigure type modem

 transport input all

 stopbits 1

 speed 115200

 flowcontrol hardware

line aux 0

 authorization exec AUTHOR_EXEC

 login authentication AUTHEN_LOGIN

 transport output telnet

line vty 0 4

 access-class 10 in

 authorization exec AUTHOR_EXEC

 login authentication AUTHEN_LOGIN

 transport input telnet ssh

line vty 5 15

 access-class 10 in

 authorization exec AUTHOR_EXEC

 login authentication AUTHEN_LOGIN

 transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

end
 

****-router#

Open in new window

0
Comment
Question by:jlock_can
  • 2
  • 2
4 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22821635

Is the .50 ip address the same ip as the outside interface? If so with static nat you cannot do that.
change the .50 to something unique in that range like .52 if available.

harbor235 ;}
0
 

Author Comment

by:jlock_can
ID: 22827654
thanks for the comment, but it doesn't work.

I tried what you said, I remove the static nat finishing by .50 and leave the one finishing .51 and then i tested the connection but it's not working.  also try changing my outside interface to .53 which is also available but that also didn't work.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22831210

How are you testing it? Is the applocation server up, is it's default gateway set? Can you ping something on the internet from the .50 device?

Make the changes and report your config, more info is required

harbor235 ;}
0
 

Accepted Solution

by:
jlock_can earned 0 total points
ID: 22898481
Firewall on the local computer was blocking the connection

thank you
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now