Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

about a web service via wan

Status
Not open for further replies.

fffrrr

Technical User
Feb 18, 2009
24
MX
This is the scenario:


LAN

Server
(using IIS service)
[/WebFileAsp] <------------> ( Router ) <---------> INTERNET

private IP 10.10.10.2 public IP 200.1.2.3


I want to enter through port 80 using the public ip (200.1.2.3) to a page (/WebFileAsp) on a server (10.10.10.2). I've entered the next command on the router to enable the nating:

# ip nat inside source static tcp 10.10.10.2 80 200.1.2.3 80 extendable

but I thing is not enought. I mean, by the LAN, if I enter on the url " I can see and access to the service, but if I enter by out of the LAN on the url " I cant, I mean, the browser doesnt find the page.

Here is my doubt. How can I enable the access to this specific page by internet?
I'll appreciate a lot the support. Thanks.
 
do you have an access-list applied to your outside interface?? i know that your diagram shows that there is no firewall involved, but maybe there is??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
yes, I have firewall implemented on the network, but in this moment is shut down, just to make this test.
 
do you have any ACL's on the interface of the router??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
I dont think so, in fact, actually I can access to other web service via WAN through other public IP using the next line:

# ip nat inside source static tcp 10.10.10.1 80 200.1.2.4 80 extendable

what do you thing?
 
can you post a scrubbed config of the router??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
I think you need this part of the config:


ip nat inside source route-map NONAT interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.10.2 80 200.1.2.3 80 extendable
ip nat inside source static tcp 10.10.10.1 80 200.1.2.4 80 extendable
!
ip access-list standard REDISTRIBUTION
deny 0.0.0.0
permit any
!
ip access-list extended PHONELIST
permit ip any 10.20.14.0 0.0.0.31
ip access-list extended REMOTEVPN
permit ip 192.168.3.0 0.0.0.255 10.10.14.0 0.0.0.31
permit ip 10.10.0.0 0.0.63.255 10.10.14.0 0.0.0.31
permit ip 10.20.0.0 0.0.63.255 10.10.14.0 0.0.0.31
permit ip 192.168.21.0 0.0.0.255 10.10.14.0 0.0.0.31
permit ip 192.168.33.0 0.0.0.255 10.10.14.0 0.0.0.31
ip access-list extended TO_INET
deny ip 10.10.0.0 0.0.63.255 10.10.14.0 0.0.0.31
deny ip 10.20.0.0 0.0.63.255 10.10.14.0 0.0.0.31
deny ip 10.20.0.0 0.0.63.255 10.20.14.0 0.0.0.31
deny ip 192.168.3.0 0.0.0.255 any
deny ip 10.10.0.0 0.0.63.255 192.168.21.0 0.0.0.255
deny ip 10.20.0.0 0.0.63.255 192.168.33.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 any
permit ip 10.20.1.128 0.0.0.127 any
ip access-list extended TO_INTERNET
permit ip 10.10.1.0 0.0.0.255 any
permit ip 10.20.1.0 0.0.0.255 any
permit ip 10.2.1.0 0.0.0.255 any
 
the whole config:


Building configuration...

Current configuration : 6571 bytes
!
!
interface FastEthernet0/0
description *** INTERFACE A INTERNET **
ip address 200.1.2.4 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description TRUNK_SWITCH
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
description *** VLAN DATA USERS ***
encapsulation dot1Q 10
ip address 10.10.1.10 255.255.255.128
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.11
description *** VLAN DATA SERVERS ***
encapsulation dot1Q 11
ip address 10.10.1.90 255.255.255.192
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.20
description *** VLAN VOICE USERS ***
encapsulation dot1Q 20
ip address 10.20.1.10 255.255.255.128
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.21
description VLAN *** VOICESERVERS ***
encapsulation dot1Q 21
ip address 10.20.1.90 255.255.255.192
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
!
ip route profile
ip route 0.0.0.0 0.0.0.0 200.1.2.4
!
ip nat inside source route-map NONAT interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.10.2 80 200.1.2.3 80 extendable
ip nat inside source static tcp 10.10.10.1 80 200.1.2.4 80 extendable
!
ip access-list standard REDISTRIBUTION
deny 0.0.0.0
permit any
!
ip access-list extended PHONELIST
permit ip any 10.20.14.0 0.0.0.31
ip access-list extended REMOTEVPN
permit ip 192.168.3.0 0.0.0.255 10.10.14.0 0.0.0.31
permit ip 10.10.0.0 0.0.63.255 10.10.14.0 0.0.0.31
permit ip 10.20.0.0 0.0.63.255 10.10.14.0 0.0.0.31
permit ip 192.168.21.0 0.0.0.255 10.10.14.0 0.0.0.31
permit ip 192.168.33.0 0.0.0.255 10.10.14.0 0.0.0.31
ip access-list extended TO_INET
deny ip 10.10.0.0 0.0.63.255 10.10.14.0 0.0.0.31
deny ip 10.20.0.0 0.0.63.255 10.10.14.0 0.0.0.31
deny ip 10.20.0.0 0.0.63.255 10.20.14.0 0.0.0.31
deny ip 192.168.3.0 0.0.0.255 any
deny ip 10.10.0.0 0.0.63.255 192.168.21.0 0.0.0.255
deny ip 10.20.0.0 0.0.63.255 192.168.33.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 any
permit ip 10.20.1.128 0.0.0.127 any
ip access-list extended TO_INTERNET
permit ip 10.10.1.0 0.0.0.255 any
permit ip 10.20.1.0 0.0.0.255 any
permit ip 10.2.1.0 0.0.0.255 any
!
!
route-map NONAT permit 10
match ip address TO_INET
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input telnet
!
scheduler allocate 20000 1000
end

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top