- Posts: 9
- Thank you received: 0
Need Help with NAT issue
15 years 7 months ago #30027
by itspec
Need Help with NAT issue was created by itspec
Hi All
I have an 871w with a cable modem connection to the outside. I then have fa0 connected to a switch that has my webserver and a few other computers on it. The problem I am having is trying to lock down the router a little better. right now I am using the ip nat statement:
ip nat inside source static 192.168.1.11 interface FastEthernet4
which works for outside connection to my webserver. but everything coming from the outside goes to it also. The problem comes in when I use a statement like:
ip nat inside source static tcp 192.168.1.11 80 interface FastEthernet4 80
Then I can not access the website from inside the network although from the outside is fine. I would appreciate any help on this.
I have an 871w with a cable modem connection to the outside. I then have fa0 connected to a switch that has my webserver and a few other computers on it. The problem I am having is trying to lock down the router a little better. right now I am using the ip nat statement:
ip nat inside source static 192.168.1.11 interface FastEthernet4
which works for outside connection to my webserver. but everything coming from the outside goes to it also. The problem comes in when I use a statement like:
ip nat inside source static tcp 192.168.1.11 80 interface FastEthernet4 80
Then I can not access the website from inside the network although from the outside is fine. I would appreciate any help on this.
15 years 7 months ago #30032
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Need Help with NAT issue
It's a bit strange since your inside traffic should obviously be passing through the internal switch and should not pass by the router at all. Can you post your 871w config? You can mask out any private info like passwords or public IPs.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
15 years 7 months ago #30033
by itspec
Replied by itspec on topic Thanks For Looking
First let me explain a little better. I can get to the web site if I type in the browser http://<IpAddress> but when I do that the website comes up with no formatting at all meaning colors ect. If it try to access using the
www.xxxxx.com
then the log on for the router itself comes up instead of the website yet if you type in
www.zzzzz.com
from outside the network you get the normal site as it should be. Before I had the router setup I just had a Linksys and I could get to the site no problem from within the network using
www.xxxxxx.com
. On the Linksys I had the port forwarding setup for port 80 and others like normal. Following is my config. Thanks again for looking.
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service sequence-numbers
!
hostname EWG
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 20480
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3363123035
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3363123035
revocation-check none
rsakeypair TP-self-signed-3363123035
!
!
crypto pki certificate chain TP-self-signed-3363123035
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333633 31323330 3335301E 170D3039 30343130 31393537
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33363331
32333033 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C9A2 BFC3CF36 04877DFD 9373FDBF E19DCFF7 1C4A930D 847572DF DAF47D2F
E11B7419 153D4F48 65298329 111B377C 895D95AC 3781307D E39394E9 10B3D8C4
E8574AC3 E72169A6 4B9C440D 0E67A5BF AE67E85F 247A62AC 51E3E8C9 52165086
E181B022 B7E24AB3 9D4EC08A B7EF9707 B2570257 F7D2071F EABE8FAD B2240C8F
71610203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 10455747 2E697068 6F746F7A 7A2E636F 6D301F06 03551D23
04183016 8014637F 9E71ECD6 AA007575 FFF5F090 3052C87E A34F301D 0603551D
0E041604 14637F9E 71ECD6AA 007575FF F5F09030 52C87EA3 4F300D06 092A8648
86F70D01 01040500 03818100 B9287B8C 8E0BDED5 CF0ED3DB DF8662A3 A28028B5
175B188F 15E324A9 2AD8C7E7 D920FE2F 5315FFD9 534740A5 5FC9E627 C0193E01
9B5B3782 471F68C2 3049697C E3466E7F 09FF446D 31BA2AA9 2ECD0FAD 41759FAD
FA3A180C 1DDDDB86 EB623DF1 E27CB8EB E58D7FC1 D1ED8C4E F426E877 68065998
5B40FA32 124B0B89 4BC50032
quit
dot11 syslog
!
dot11 ssid Iphotozz
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 XXXXXXX
!
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool sdm-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 2
!
ip dhcp pool wireless
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
lease 0 2
!
!
ip cef
ip name-server 65.24.7.10
ip name-server 65.24.7.11
ip name-server 64.27.166.100
ip name-server 216.219.76.10
ip ddns update method sdm_ddns1
HTTP
add cgi.tzo.com/webclient/signedon.html?TZON...p;IPAddress=<a> ;
remove cgi.tzo.com/webclient/signedon.html?TZON...p;IPAddress=<a> ;
interval maximum 0 0 25 0
interval minimum 0 0 15 0
!
ntp server 128.2.1.20 source FastEthernet4
!
!
!
!
username kz8dzp privilege 15 secret 5 $1$CG5L$QB.Fx1fP.QH2OCdsCnh.k0
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip ddns update hostname Iphotozz.com
ip ddns update sdm_ddns1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 10 mode ciphers tkip
!
ssid Iphotozz
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no cdp enable
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
description Wireless Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 10
bridge-group 10 spanning-disabled
!
interface BVI10
description Bridge to Internal Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list MyNat interface FastEthernet4 overload
ip nat inside source static 192.168.1.11 interface FastEthernet4
!
ip access-list extended MyNat
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
bridge 10 route ip
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
end
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service sequence-numbers
!
hostname EWG
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 20480
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3363123035
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3363123035
revocation-check none
rsakeypair TP-self-signed-3363123035
!
!
crypto pki certificate chain TP-self-signed-3363123035
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333633 31323330 3335301E 170D3039 30343130 31393537
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33363331
32333033 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C9A2 BFC3CF36 04877DFD 9373FDBF E19DCFF7 1C4A930D 847572DF DAF47D2F
E11B7419 153D4F48 65298329 111B377C 895D95AC 3781307D E39394E9 10B3D8C4
E8574AC3 E72169A6 4B9C440D 0E67A5BF AE67E85F 247A62AC 51E3E8C9 52165086
E181B022 B7E24AB3 9D4EC08A B7EF9707 B2570257 F7D2071F EABE8FAD B2240C8F
71610203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 10455747 2E697068 6F746F7A 7A2E636F 6D301F06 03551D23
04183016 8014637F 9E71ECD6 AA007575 FFF5F090 3052C87E A34F301D 0603551D
0E041604 14637F9E 71ECD6AA 007575FF F5F09030 52C87EA3 4F300D06 092A8648
86F70D01 01040500 03818100 B9287B8C 8E0BDED5 CF0ED3DB DF8662A3 A28028B5
175B188F 15E324A9 2AD8C7E7 D920FE2F 5315FFD9 534740A5 5FC9E627 C0193E01
9B5B3782 471F68C2 3049697C E3466E7F 09FF446D 31BA2AA9 2ECD0FAD 41759FAD
FA3A180C 1DDDDB86 EB623DF1 E27CB8EB E58D7FC1 D1ED8C4E F426E877 68065998
5B40FA32 124B0B89 4BC50032
quit
dot11 syslog
!
dot11 ssid Iphotozz
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 XXXXXXX
!
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool sdm-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 2
!
ip dhcp pool wireless
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
lease 0 2
!
!
ip cef
ip name-server 65.24.7.10
ip name-server 65.24.7.11
ip name-server 64.27.166.100
ip name-server 216.219.76.10
ip ddns update method sdm_ddns1
HTTP
add cgi.tzo.com/webclient/signedon.html?TZON...p;IPAddress=<a> ;
remove cgi.tzo.com/webclient/signedon.html?TZON...p;IPAddress=<a> ;
interval maximum 0 0 25 0
interval minimum 0 0 15 0
!
ntp server 128.2.1.20 source FastEthernet4
!
!
!
!
username kz8dzp privilege 15 secret 5 $1$CG5L$QB.Fx1fP.QH2OCdsCnh.k0
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip ddns update hostname Iphotozz.com
ip ddns update sdm_ddns1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 10 mode ciphers tkip
!
ssid Iphotozz
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no cdp enable
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
description Wireless Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 10
bridge-group 10 spanning-disabled
!
interface BVI10
description Bridge to Internal Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list MyNat interface FastEthernet4 overload
ip nat inside source static 192.168.1.11 interface FastEthernet4
!
ip access-list extended MyNat
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
bridge 10 route ip
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
end
15 years 7 months ago #30035
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Need Help with NAT issue
hmm, Since it's working from outside and resolves to the router's login screen from inside, it proves that there is no DNS resolution problem.
You router's web interface probably uses port 80, which is why your inside is redirected to it. Try changing the port of your router's web interface (login screen), like this:
[code:1]ip http port 81[/code:1]
If the above doesn't work. Then What happens if you remove these line:
[code:1]ip http server
ip http secure-server
[/code:1]
This should disable the router's web interface.
Regarding that http://<IpAddress> scrambled page. I have no idea whats that :?
You router's web interface probably uses port 80, which is why your inside is redirected to it. Try changing the port of your router's web interface (login screen), like this:
[code:1]ip http port 81[/code:1]
If the above doesn't work. Then What happens if you remove these line:
[code:1]ip http server
ip http secure-server
[/code:1]
This should disable the router's web interface.
Regarding that http://<IpAddress> scrambled page. I have no idea whats that :?
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
15 years 7 months ago #30037
by itspec
Replied by itspec on topic Re: Need Help with NAT issue
This is strange. I tried the things you suggested and what happens is this. If I remove
ip nat inside source static 192.168.1.11 interface FastEthernet4
and put in
no ip nat inside source static tcp 192.168.1.11 80 interface FastEthernet4 80
no ip nat inside source static tcp 192.168.1.11 443 interface FastEthernet4 443
then change the port for http on the router I can not get to the website from within the network using www.xxxxxx.com in fact nothing at all will come up and of course not the router log on either with the exception that I can still go to the internet. if I try 192.xxx.xxx.xxx my website comes up with all the colors and formatting but I can not go anywhere within the website,. Since all of the links within the website reference www.xxxxx.com . Before the website would come up with no colors or formatting.
But yet again everything is as it should be from the outside coming in. I also tried removing the router http server and secure server with the same results. I am at a total loss
ip nat inside source static 192.168.1.11 interface FastEthernet4
and put in
no ip nat inside source static tcp 192.168.1.11 80 interface FastEthernet4 80
no ip nat inside source static tcp 192.168.1.11 443 interface FastEthernet4 443
then change the port for http on the router I can not get to the website from within the network using www.xxxxxx.com in fact nothing at all will come up and of course not the router log on either with the exception that I can still go to the internet. if I try 192.xxx.xxx.xxx my website comes up with all the colors and formatting but I can not go anywhere within the website,. Since all of the links within the website reference www.xxxxx.com . Before the website would come up with no colors or formatting.
But yet again everything is as it should be from the outside coming in. I also tried removing the router http server and secure server with the same results. I am at a total loss
15 years 7 months ago #30046
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Need Help with NAT issue
It seams that this is a common issue with Cisco routers that does not have a straight forward solution. Check here:
www.dslreports.com/forum/r22167381-Acces...-behind-cisco-router
What makes me scratch my head is how is it working from inside when you use:
ip nat inside source static 192.168.1.11 interface FastEthernet4
And still not work for a port forward!!.
Any way the link/discussion above suggests installing an inside/local DNS server to map www.xxxxx.com to the inside IP 192.xxx.xxx.xxx of the server instead of the external IP. It should work if done well. And you could configure the router itself to be the DNS server.
Any one else who has another idea?, be my guest.
What makes me scratch my head is how is it working from inside when you use:
ip nat inside source static 192.168.1.11 interface FastEthernet4
And still not work for a port forward!!.
Any way the link/discussion above suggests installing an inside/local DNS server to map www.xxxxx.com to the inside IP 192.xxx.xxx.xxx of the server instead of the external IP. It should work if done well. And you could configure the router itself to be the DNS server.
Any one else who has another idea?, be my guest.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.134 seconds