BooSTid
asked on
Cisco 1811 NAT'ing SSL connection
I'm trying to set up a Cisco 1811 for a client with an extremely simplistic network topology and a very straightforward config. However for some reason I'm failing miserably.
They originally had an IP cop doing all of their routing and firewall services, with port forwarding enabled for 443 to their web server.
I'm trying to emulate that on an 1811.
I've used what I believe to be the correct nat statement:
ip nat inside source static tcp 10.10.0.1 443 interface FastEthernet0 443
This was not working. Originally, even with that statement in place, it would process https: requests like I was trying to access cisco sdm over https. I then removed the https server and http secure-server statements, and now it doesn't seem to do anything with the request.
I've used portforward.com's web tool to try and verify port forwarding and connectivity; it would work when I had it nat'd to my computer, and then would fail when I removed or changed the nat statement, indicating that it is indeed NAT'ing correctly.
The web server is on a Server 2000 machine, so there is no windows firewall or really any other devices in the way other than a switch. All connectivity is verified, and i am able to hit the site internally. I've posted the config; don't mind the ACL's too much, i was monkeying with them in an attempt to cause an effect. I've put their IP Cop back in place so that they're in production, but I need to wrap this up asap. please help!
They originally had an IP cop doing all of their routing and firewall services, with port forwarding enabled for 443 to their web server.
I'm trying to emulate that on an 1811.
I've used what I believe to be the correct nat statement:
ip nat inside source static tcp 10.10.0.1 443 interface FastEthernet0 443
This was not working. Originally, even with that statement in place, it would process https: requests like I was trying to access cisco sdm over https. I then removed the https server and http secure-server statements, and now it doesn't seem to do anything with the request.
I've used portforward.com's web tool to try and verify port forwarding and connectivity; it would work when I had it nat'd to my computer, and then would fail when I removed or changed the nat statement, indicating that it is indeed NAT'ing correctly.
The web server is on a Server 2000 machine, so there is no windows firewall or really any other devices in the way other than a switch. All connectivity is verified, and i am able to hit the site internally. I've posted the config; don't mind the ACL's too much, i was monkeying with them in an attempt to cause an effect. I've put their IP Cop back in place so that they're in production, but I need to wrap this up asap. please help!
Building configuration...
Current configuration : 4303 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PIEI_1811
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
!
!
no ip cef
!
!
no ip domain lookup
ip domain name piei.local
ip name-server 208.77.63.162
ip name-server 208.77.63.163
!
!
crypto pki trustpoint TP-self-signed-535423446
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-535423446
revocation-check none
rsakeypair TP-self-signed-535423446
!
!
crypto pki certificate chain TP-self-signed-535423446
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35333534 32333434 36301E17 0D303931 30323130 31323131
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 35343233
34343630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AD088505 273FE0E9 9070C8EE 921B9598 54D79ED2 6CAA939D B44AD2AF DBAE1AED
8BDF023C EEAA1CB1 0F4869A6 6B8AC44A 99C20554 C0DDDC84 1AC88D78 3233F7FB
AE3E98F5 C8EF2889 5EA8414D EB0AA1DE BF8DD621 FB054CA5 DA75337B F9F80C38
A9009ADC A7E1D19B 351907F0 2E00B677 8DA263F9 76C3EAE0 C5147BA2 E4B4331B
02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
11041830 16821450 4945495F 31383131 2E706965 692E6C6F 63616C30 1F060355
1D230418 30168014 287DC414 FCAFFC2D 9776042D B98FB842 67B0878B 301D0603
551D0E04 16041428 7DC414FC AFFC2D97 76042DB9 8FB84267 B0878B30 0D06092A
864886F7 0D010104 05000381 81001DB2 44637B84 544A68FE DDC902E3 EEE5B783
C50B92FC 92BABAEB 7931CB2F D4FD7367 D8CC2291 146D3C6E 0E306B80 0AEAE6EA
078458FB D08D02F4 178D8F72 D4A296D1 DB9ABAB3 F30E8B1B A0E4B3B2 4C03AF71
4A80B6A7 70DADC5F 6C446008 5030F2ED 3DB5B5F7 3D93E934 5DE9E6F0 D76942FD
A8351FF6 251A2AA0 15490DF3 91CC
quit
username **** privilege 15 secret 5 *********
!
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address 208.77.58.100 255.255.255.0
ip nat outside
ip virtual-reassembly
speed 100
half-duplex
!
interface FastEthernet1
description $ETH-LAN$
ip address 10.10.0.10 255.255.255.0
ip access-group 10 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
description Main Network
spanning-tree portfast
!
interface FastEthernet3
description Main Network
!
interface FastEthernet4
description Main Network
!
interface FastEthernet5
description Main Network
!
interface FastEthernet6
description Main Network
!
interface FastEthernet7
description Main Network
!
interface FastEthernet8
description Main Network
!
interface FastEthernet9
description Main Network
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
no ip address
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip default-gateway 208.77.58.97
ip route 0.0.0.0 0.0.0.0 208.77.58.97
!
!
no ip http server
no ip http secure-server
ip nat inside source list 3 interface FastEthernet0 overload
ip nat inside source static tcp 10.10.0.1 8833 interface FastEthernet0 8833
ip nat inside source static tcp 10.10.0.1 80 interface FastEthernet0 80
ip nat inside source static tcp 10.10.0.1 443 interface FastEthernet0 443
!
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.0.0 0.0.0.255
access-list 3 permit 10.10.0.0 0.0.0.255
access-list 10 permit any
access-list 101 permit ip any any
access-list 105 permit ip any any
access-list 105 permit ip host 10.10.0.1 host 208.77.58.100
access-list 105 permit tcp host 10.10.0.1 host 208.77.58.100 eq 443
access-list 105 permit tcp any host 10.10.0.1 eq 443
!
!
!
!
!
!
control-plane
!
banner exec ^CO U^C
banner login ^Co Unauthorized Access
^C
!
line con 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password *****
login
transport input telnet
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
!
no inservice
!
end
configure the vlan1 interface as your lan interface, all these fa interfaces are layer 2 interfaces they need a vlan interface in order to route traffic.
sorry, fa0 and fa1 are wan port on the 1811 so you have to hook your lan on the remaining switch ports
also normally you do not want to disable i[p cef
when you have more time you can add more features
http://cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/1800sg.pdf
http://cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/1800sg.pdf
ASKER
I actually had it on the switchports where it didn't work, and then moved it to fa1 to see if it made a difference. It didn't.
Remove the "IP Default-gateway" statement, just use the "IP route" statement.
Also remove the "ip nat inside" statement from vlan1. You're telling the built-in switch to nat to itself.
Also, clear the arp table (clear arp), and try it again, you'll be golden. --TX
Also remove the "ip nat inside" statement from vlan1. You're telling the built-in switch to nat to itself.
Also, clear the arp table (clear arp), and try it again, you'll be golden. --TX
ASKER
I'll give that a shot tonight!
you do need ip nat inside on your vlan1 interface otherwise natting will not be possible.
ASKER
i really don't think that having both a default gateway and default route will cause the issues i'm having. And mitrushi is right, you definitely need ip nat inside on the vlan.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.