We help IT Professionals succeed at work.
Get Started

allow port forward for web server

523 Views
Last Modified: 2013-11-21
Hello
I'm trying to figure out how to forward a port to allow the outside world to get to a web reservation (web server) on a cisco 871 router and am having a hard time. The way they have it setup is a little different than usual and am not sure what to do.
They have 2 routers. The main router routing to the outside is the cisco 871 Router that i have included the configurations below. The web server is behind a linksys vpn router.
The cisco 871 has a vlan 1 using 192.168.0.1 /24. It's interface FastEthernet1 (vlan 1) is connected to this Linksys VPN router (Wan port) with an address of 192.168.0.2 /24. Now behing this linksys the LAN addressing scheme is 192.168.1.1 /24, the Web reservation is installed on a workstation using the address 192.168.1.3 /24. Now i went through the configurations on the linksys and
it has 2 port forwards that are like so:
(Under applications & gaming)
                  Port range
Application      Start       END   TCP-UDP    IP address                            Enabled
WEB                  80          80         TCP         192.168.1.3                  no checkmark here
SSL                  443        443        TCP         192.163.1.3                     checkmark here

(Now under UPnP Forwarding)
Application     Ext.port     TCP-UDP      Int.port       Ip address                Enabled
HTTP                  80             TCP              80         192.168.1.3           checkmark here
HTTP                  80             UDP              80         192.168.1.3           checkmark here
SSL                   443            UDP             443       192.168.1.3           checkmark here
SSL                   443            TCP             443        192.168.1.3           checkmark here

Here are the 871 router configurations:
ip dhcp excluded-address 172.16.0.1 172.16.0.20
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 192.168.1.1 192.168.1.114
!
ip dhcp pool Vlan1_pool
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server AAA.AAA.AAA AAA.AAA.BBB
!
ip dhcp pool Wireless_pool
   import all
   network 172.16.0.0 255.255.252.0
   default-router 172.16.0.1
   dns-server AAA.AAA.AAA AAA.AAA.BBB
!
!
!
no ip domain lookup
ip domain name rtp.cisco.com
!
multilink bundle-name authenticated
!
!
username AAAA password 7 12140405115A
username BBBBB password 7 1424430F1E29792F743F20
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 1
!
!
!
interface FastEthernet0
 description Vlan1 192.168.0.0 /24
!
interface FastEthernet1
 description Vlan1 going to VPNRouter WAN 192.168.0.2 /24 and LAN 192.168.1.0 /2 ***********this is the interface going to the linksys vpn with the web reservation
!
interface FastEthernet2
 description Vlan2 interface to NewWireless 172.16.0.0 255.255.252.0 /22 to D-Li
 switchport access vlan 2
!
interface FastEthernet3
 description Temporary interface going to existing Wireless LAN 10.10.1.0 /24 an
!
interface FastEthernet4
 description WAN int to Internet getting Static IP from ISP QQQ.QQQ.QQQ 255.255.255.0
 ip address QQQ.QQQ.QQQ 255.255.255.0
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip access-group 103 out
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 172.16.0.1 255.255.252.0
 ip access-group 104 out
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 ip address 10.10.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip default-gateway 333.333.333 255.255.255.0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 209.91.152.65
ip route 10.10.1.0 255.255.255.0 192.168.0.3
ip route 192.168.1.0 255.255.255.0 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat pool OUTSIDE_NAT QQQ.QQQ.QQQ QQQ.QQQ.QQQ netmask 255.255.255.0
ip nat inside source list 101 pool OUTSIDE_NAT overload
!
access-list 101 remark OUTSIDE_NAT acl allowed networks
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
access-list 102 remark ACL allowed entry into router fa4 WAN
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 443
access-list 102 deny   tcp any any eq 3389
access-list 102 deny   icmp any any echo log-input
access-list 102 permit ip any any
access-list 103 remark ACL denied access to vlan 1
access-list 103 deny   icmp 172.16.0.0 0.0.3.255 192.168.0.0 0.0.0.255 echo
access-list 103 deny   icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 echo
access-list 103 permit ip any any
access-list 104 permit tcp any any eq smtp
access-list 104 permit tcp any any eq www
access-list 104 permit tcp any any eq ftp
access-list 104 permit tcp any any eq ftp-data
access-list 104 permit tcp any any eq pop3
access-list 104 permit tcp any any eq 443
access-list 104 deny   tcp any any eq 3389
access-list 104 deny   icmp any any echo log-input
access-list 104 deny   icmp 10.10.1.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 deny   icmp 192.168.0.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 deny   icmp 192.168.1.0 0.0.0.255 172.16.0.0 0.0.3.255 echo
access-list 104 permit ip any any
!
!
!
!
control-plane .... (i stopped the show command here )

Now can anyone help me to configure these port forwarding so the router can point to the right route and open the required ports. I am wondering if i don't need to add some type of ACL to allow the ports to be open but am not sure how to configure them or where to apply this ACL if  that's the answer.
What i was thinking was:
ip nat pool OUTSIDE_NAT QQQ.QQQ.QQQ QQQ.QQQ.QQQ netmask 255.255.255.0
ip nat inside source list 101 pool OUTSIDE_NAT overload
ip nat inside source static tcp 192.168.1.3 80 interface FastEthernet4 80  (add this command)

Then on ACL 103 configure it this way:
access-list 103 remark ACL denied access to vlan 1
access-list 103 deny   icmp 172.16.0.0 0.0.3.255 192.168.0.0 0.0.0.255 echo
access-list 103 deny   icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 echo
access-list 103 permit tcp any any
access-list 103 permit ip any any

Then set the ACL like so:
 interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip access-group 103 out
 ip nat inside

And this is the actual ACL 101:
access-list 101 remark OUTSIDE_NAT acl allowed networks
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any  ************* (already there)
access-list 101 permit ip 172.16.0.0 0.0.3.255 any
access-list 101 permit ip 10.10.1.0 0.0.0.255 any

Again i'm not even sure if i'm on the right track but would really appreciate any hep with this.

Thanks for any help with this issue.
Comment
Watch Question
Systems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE