troubleshooting Question

allow port forward for web server

Avatar of ibanez7
ibanez7Flag for Canada asked on
File Sharing SoftwareRoutersExchange
3 Comments1 Solution525 ViewsLast Modified:
Hello
I'm trying to figure out how to forward a port to allow the outside world to get to a web reservation (web server) on a cisco 871 router and am having a hard time. The way they have it setup is a little different than usual and am not sure what to do.
They have 2 routers. The main router routing to the outside is the cisco 871 Router that i have included the configurations below. The web server is behind a linksys vpn router.
The cisco 871 has a vlan 1 using 192.168.0.1 /24. It's interface FastEthernet1 (vlan 1) is connected to this Linksys VPN router (Wan port) with an address of 192.168.0.2 /24. Now behing this linksys the LAN addressing scheme is 192.168.1.1 /24, the Web reservation is installed on a workstation using the address 192.168.1.3 /24. Now i went through the configurations on the linksys and
it has 2 port forwards that are like so:
(Under applications & gaming)
                  Port range
Application      Start       END   TCP-UDP    IP address                            Enabled
WEB                  80          80         TCP         192.168.1.3                  no checkmark here
SSL                  443        443        TCP         192.163.1.3                     checkmark here

(Now under UPnP Forwarding)
Application     Ext.port     TCP-UDP      Int.port       Ip address                Enabled
HTTP                  80             TCP              80         192.168.1.3           checkmark here
HTTP                  80             UDP              80         192.168.1.3           checkmark here
SSL                   443            UDP             443       192.168.1.3           checkmark here
SSL                   443            TCP             443        192.168.1.3           checkmark here

Here are the 871 router configurations:
ip dhcp excluded-address 172.16.0.1 172.16.0.20
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 192.168.1.1 192.168.1.114
!
ip dhcp pool Vlan1_pool
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server AAA.AAA.AAA AAA.AAA.BBB
!
ip dhcp pool Wireless_pool
   import all
   network 172.16.0.0 255.255.252.0
   default-router 172.16.0.1
   dns-server AAA.AAA.AAA AAA.AAA.BBB
!
!
!
no ip domain lookup
ip domain name rtp.cisco.com
!
multilink bundle-name authenticated
!
!
username AAAA password 7 12140405115A
username BBBBB password 7 1424430F1E29792F743F20
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 1
!
!
!
interface FastEthernet0
 description Vlan1 192.168.0.0 /24
!
interface FastEthernet1
 description Vlan1 going to VPNRouter WAN 192.168.0.2 /24 and LAN 192.168.1.0 /2 ***********this is the interface going to the linksys vpn with the web reservation
!
interface FastEthernet2
 description Vlan2 interface to NewWireless 172.16.0.0 255.255.252.0 /22 to D-Li
 switchport access vlan 2
!
interface FastEthernet3
 description Temporary interface going to existing Wireless LAN 10.10.1.0 /24 an
!
interface FastEthernet4
 description WAN int to Internet getting Static IP from ISP QQQ.QQQ.QQQ 255.255.255.0
 ip address QQQ.QQQ.QQQ 255.255.255.0
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip access-group 103 out
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 172.16.0.1 255.255.252.0
 ip access-group 104 out
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 ip address 10.10.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip default-gateway 333.333.333 255.255.255.0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 209.91.152.65
ip route 10.10.1.0 255.255.255.0 192.168.0.3
ip route 192.168.1.0 255.255.255.0 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat pool OUTSIDE_NAT QQQ.QQQ.QQQ QQQ.QQQ.QQQ netmask 255.255.255.0
ip nat inside source list 101 pool OUTSIDE_NAT overload
!
access-list 101 remark OUTSIDE_NAT acl allowed networks
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
access-list 102 remark ACL allowed entry into router fa4 WAN
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 443
access-list 102 deny   tcp any any eq 3389
access-list 102 deny   icmp any any echo log-input
access-list 102 permit ip any any
access-list 103 remark ACL denied access to vlan 1
access-list 103 deny   icmp 172.16.0.0 0.0.3.255 192.168.0.0 0.0.0.255 echo
access-list 103 deny   icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 echo
access-list 103 permit ip any any
access-list 104 permit tcp any any eq smtp
access-list 104 permit tcp any any eq www
access-list 104 permit tcp any any eq ftp
access-list 104 permit tcp any any eq ftp-data
access-list 104 permit tcp any any eq pop3
access-list 104 permit tcp any any eq 443
access-list 104 deny   tcp any any eq 3389
access-list 104 deny   icmp any any echo log-input
access-list 104 deny   icmp 10.10.1.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 deny   icmp 192.168.0.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 deny   icmp 192.168.1.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 permit ip any any
!
!
!
!
control-plane .... (i stopped the show command here )

Now can anyone help me to configure these port forwarding so the router can point to the right route and open the required ports. I am wondering if i don't need to add some type of ACL to allow the ports to be open but am not sure how to configure them or where to apply this ACL if  that's the answer.
What i was thinking was:
ip nat pool OUTSIDE_NAT QQQ.QQQ.QQQ QQQ.QQQ.QQQ netmask 255.255.255.0
ip nat inside source list 101 pool OUTSIDE_NAT overload
ip nat inside source static tcp 192.168.1.3 80 interface FastEthernet4 80  (add this command)

Then on ACL 103 configure it this way:
access-list 103 remark ACL denied access to vlan 1
access-list 103 deny   icmp 172.16.0.0 0.0.3.255 192.168.0.0 0.0.0.255 echo
access-list 103 deny   icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 echo
access-list 103 permit tcp any any
access-list 103 permit ip any any

Then set the ACL like so:
 interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip access-group 103 out
 ip nat inside

And this is the actual ACL 101:
access-list 101 remark OUTSIDE_NAT acl allowed networks
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any  ************* (already there)
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 10.10.1.0 0.0.0.255 any

Again i'm not even sure if i'm on the right track but would really appreciate any hep with this.

Thanks for any help with this issue.
ASKER CERTIFIED SOLUTION
Les Moore
Systems Architect

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Top Expert 2008

The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros