allow port forward for web server
Hello
I'm trying to figure out how to forward a port to allow the outside world to get to a web reservation (web server) on a cisco 871 router and am having a hard time. The way they have it setup is a little different than usual and am not sure what to do.
They have 2 routers. The main router routing to the outside is the cisco 871 Router that i have included the configurations below. The web server is behind a linksys vpn router.
The cisco 871 has a vlan 1 using 192.168.0.1 /24. It's interface FastEthernet1 (vlan 1) is connected to this Linksys VPN router (Wan port) with an address of 192.168.0.2 /24. Now behing this linksys the LAN addressing scheme is 192.168.1.1 /24, the Web reservation is installed on a workstation using the address 192.168.1.3 /24. Now i went through the configurations on the linksys and
it has 2 port forwards that are like so:
(Under applications & gaming)
Port range
Application Start END TCP-UDP IP address Enabled
WEB 80 80 TCP 192.168.1.3 no checkmark here
SSL 443 443 TCP 192.163.1.3 checkmark here
(Now under UPnP Forwarding)
Application Ext.port TCP-UDP Int.port Ip address Enabled
HTTP 80 TCP 80 192.168.1.3 checkmark here
HTTP 80 UDP 80 192.168.1.3 checkmark here
SSL 443 UDP 443 192.168.1.3 checkmark here
SSL 443 TCP 443 192.168.1.3 checkmark here
Here are the 871 router configurations:
ip dhcp excluded-address 172.16.0.1 172.16.0.20
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 192.168.1.1 192.168.1.114
!
ip dhcp pool Vlan1_pool
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server AAA.AAA.AAA AAA.AAA.BBB
!
ip dhcp pool Wireless_pool
import all
network 172.16.0.0 255.255.252.0
default-router 172.16.0.1
dns-server AAA.AAA.AAA AAA.AAA.BBB
!
!
!
no ip domain lookup
ip domain name rtp.cisco.com
!
multilink bundle-name authenticated
!
!
username AAAA password 7 12140405115A
username BBBBB password 7 1424430F1E29792F743F20
!
!
archive
log config
hidekeys
!
!
ip ssh version 1
!
!
!
interface FastEthernet0
description Vlan1 192.168.0.0 /24
!
interface FastEthernet1
description Vlan1 going to VPNRouter WAN 192.168.0.2 /24 and LAN 192.168.1.0 /2 ***********this is the interface going to the linksys vpn with the web reservation
!
interface FastEthernet2
description Vlan2 interface to NewWireless 172.16.0.0 255.255.252.0 /22 to D-Li
switchport access vlan 2
!
interface FastEthernet3
description Temporary interface going to existing Wireless LAN 10.10.1.0 /24 an
!
interface FastEthernet4
description WAN int to Internet getting Static IP from ISP QQQ.QQQ.QQQ 255.255.255.0
ip address QQQ.QQQ.QQQ 255.255.255.0
ip access-group 102 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip access-group 103 out
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 172.16.0.1 255.255.252.0
ip access-group 104 out
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 10.10.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 333.333.333 255.255.255.0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 209.91.152.65
ip route 10.10.1.0 255.255.255.0 192.168.0.3
ip route 192.168.1.0 255.255.255.0 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat pool OUTSIDE_NAT QQQ.QQQ.QQQ QQQ.QQQ.QQQ netmask 255.255.255.0
ip nat inside source list 101 pool OUTSIDE_NAT overload
!
access-list 101 remark OUTSIDE_NAT acl allowed networks
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
access-list 102 remark ACL allowed entry into router fa4 WAN
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 443
access-list 102 deny tcp any any eq 3389
access-list 102 deny icmp any any echo log-input
access-list 102 permit ip any any
access-list 103 remark ACL denied access to vlan 1
access-list 103 deny icmp 172.16.0.0 0.0.3.255 192.168.0.0 0.0.0.255 echo
access-list 103 deny icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 echo
access-list 103 permit ip any any
access-list 104 permit tcp any any eq smtp
access-list 104 permit tcp any any eq www
access-list 104 permit tcp any any eq ftp
access-list 104 permit tcp any any eq ftp-data
access-list 104 permit tcp any any eq pop3
access-list 104 permit tcp any any eq 443
access-list 104 deny tcp any any eq 3389
access-list 104 deny icmp any any echo log-input
access-list 104 deny icmp 10.10.1.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 deny icmp 192.168.0.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 deny icmp 192.168.1.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 permit ip any any
!
!
!
!
control-plane .... (i stopped the show command here )
Now can anyone help me to configure these port forwarding so the router can point to the right route and open the required ports. I am wondering if i don't need to add some type of ACL to allow the ports to be open but am not sure how to configure them or where to apply this ACL if that's the answer.
What i was thinking was:
ip nat pool OUTSIDE_NAT QQQ.QQQ.QQQ QQQ.QQQ.QQQ netmask 255.255.255.0
ip nat inside source list 101 pool OUTSIDE_NAT overload
ip nat inside source static tcp 192.168.1.3 80 interface FastEthernet4 80 (add this command)
Then on ACL 103 configure it this way:
access-list 103 remark ACL denied access to vlan 1
access-list 103 deny icmp 172.16.0.0 0.0.3.255 192.168.0.0 0.0.0.255 echo
access-list 103 deny icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 echo
access-list 103 permit tcp any any
access-list 103 permit ip any any
Then set the ACL like so:
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip access-group 103 out
ip nat inside
And this is the actual ACL 101:
access-list 101 remark OUTSIDE_NAT acl allowed networks
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any ************* (already there)
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
Again i'm not even sure if i'm on the right track but would really appreciate any hep with this.
Thanks for any help with this issue.
I'm trying to figure out how to forward a port to allow the outside world to get to a web reservation (web server) on a cisco 871 router and am having a hard time. The way they have it setup is a little different than usual and am not sure what to do.
They have 2 routers. The main router routing to the outside is the cisco 871 Router that i have included the configurations below. The web server is behind a linksys vpn router.
The cisco 871 has a vlan 1 using 192.168.0.1 /24. It's interface FastEthernet1 (vlan 1) is connected to this Linksys VPN router (Wan port) with an address of 192.168.0.2 /24. Now behing this linksys the LAN addressing scheme is 192.168.1.1 /24, the Web reservation is installed on a workstation using the address 192.168.1.3 /24. Now i went through the configurations on the linksys and
it has 2 port forwards that are like so:
(Under applications & gaming)
Port range
Application Start END TCP-UDP IP address Enabled
WEB 80 80 TCP 192.168.1.3 no checkmark here
SSL 443 443 TCP 192.163.1.3 checkmark here
(Now under UPnP Forwarding)
Application Ext.port TCP-UDP Int.port Ip address Enabled
HTTP 80 TCP 80 192.168.1.3 checkmark here
HTTP 80 UDP 80 192.168.1.3 checkmark here
SSL 443 UDP 443 192.168.1.3 checkmark here
SSL 443 TCP 443 192.168.1.3 checkmark here
Here are the 871 router configurations:
ip dhcp excluded-address 172.16.0.1 172.16.0.20
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 192.168.1.1 192.168.1.114
!
ip dhcp pool Vlan1_pool
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server AAA.AAA.AAA AAA.AAA.BBB
!
ip dhcp pool Wireless_pool
import all
network 172.16.0.0 255.255.252.0
default-router 172.16.0.1
dns-server AAA.AAA.AAA AAA.AAA.BBB
!
!
!
no ip domain lookup
ip domain name rtp.cisco.com
!
multilink bundle-name authenticated
!
!
username AAAA password 7 12140405115A
username BBBBB password 7 1424430F1E29792F743F20
!
!
archive
log config
hidekeys
!
!
ip ssh version 1
!
!
!
interface FastEthernet0
description Vlan1 192.168.0.0 /24
!
interface FastEthernet1
description Vlan1 going to VPNRouter WAN 192.168.0.2 /24 and LAN 192.168.1.0 /2 ***********this is the interface going to the linksys vpn with the web reservation
!
interface FastEthernet2
description Vlan2 interface to NewWireless 172.16.0.0 255.255.252.0 /22 to D-Li
switchport access vlan 2
!
interface FastEthernet3
description Temporary interface going to existing Wireless LAN 10.10.1.0 /24 an
!
interface FastEthernet4
description WAN int to Internet getting Static IP from ISP QQQ.QQQ.QQQ 255.255.255.0
ip address QQQ.QQQ.QQQ 255.255.255.0
ip access-group 102 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip access-group 103 out
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 172.16.0.1 255.255.252.0
ip access-group 104 out
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 10.10.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 333.333.333 255.255.255.0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 209.91.152.65
ip route 10.10.1.0 255.255.255.0 192.168.0.3
ip route 192.168.1.0 255.255.255.0 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat pool OUTSIDE_NAT QQQ.QQQ.QQQ QQQ.QQQ.QQQ netmask 255.255.255.0
ip nat inside source list 101 pool OUTSIDE_NAT overload
!
access-list 101 remark OUTSIDE_NAT acl allowed networks
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
access-list 102 remark ACL allowed entry into router fa4 WAN
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 443
access-list 102 deny tcp any any eq 3389
access-list 102 deny icmp any any echo log-input
access-list 102 permit ip any any
access-list 103 remark ACL denied access to vlan 1
access-list 103 deny icmp 172.16.0.0 0.0.3.255 192.168.0.0 0.0.0.255 echo
access-list 103 deny icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 echo
access-list 103 permit ip any any
access-list 104 permit tcp any any eq smtp
access-list 104 permit tcp any any eq www
access-list 104 permit tcp any any eq ftp
access-list 104 permit tcp any any eq ftp-data
access-list 104 permit tcp any any eq pop3
access-list 104 permit tcp any any eq 443
access-list 104 deny tcp any any eq 3389
access-list 104 deny icmp any any echo log-input
access-list 104 deny icmp 10.10.1.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 deny icmp 192.168.0.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 deny icmp 192.168.1.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 permit ip any any
!
!
!
!
control-plane .... (i stopped the show command here )
Now can anyone help me to configure these port forwarding so the router can point to the right route and open the required ports. I am wondering if i don't need to add some type of ACL to allow the ports to be open but am not sure how to configure them or where to apply this ACL if that's the answer.
What i was thinking was:
ip nat pool OUTSIDE_NAT QQQ.QQQ.QQQ QQQ.QQQ.QQQ netmask 255.255.255.0
ip nat inside source list 101 pool OUTSIDE_NAT overload
ip nat inside source static tcp 192.168.1.3 80 interface FastEthernet4 80 (add this command)
Then on ACL 103 configure it this way:
access-list 103 remark ACL denied access to vlan 1
access-list 103 deny icmp 172.16.0.0 0.0.3.255 192.168.0.0 0.0.0.255 echo
access-list 103 deny icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 echo
access-list 103 permit tcp any any
access-list 103 permit ip any any
Then set the ACL like so:
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip access-group 103 out
ip nat inside
And this is the actual ACL 101:
access-list 101 remark OUTSIDE_NAT acl allowed networks
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any ************* (already there)
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
Again i'm not even sure if i'm on the right track but would really appreciate any hep with this.
Thanks for any help with this issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks again
ASKER