Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cant reach DMZ web server from Internet

Status
Not open for further replies.

SeekingTruth

Technical User
Jul 29, 2012
2
US
I have a simple setup with a Cisco 881W, but really struggling to get a web server in the DMZ to work. There are 4 VLANs - Guest (for wireless guests), Internal for internal users, a DMZ and a Management VLAN. One interface (Fa4) is connected to the cable modem with one address (the config is using Dynamic DNS to maintain this, and I think it is working OK since I can ping the site name and it returns the fa4 IP address).

I have setup up NAT Virtual Interfaces so that clients in every VLAN can reach the Internet, which works fine. The problem is I cant seem to get clients on the Internet to be able to reach a web server in the DMZ. There is an ACL statement in the router config which I thought would do this ("ip nat source static tcp 10.0.0.11 80 interface FastEthernet4 80"), but some how it is not working. The strange thing is that any one on the Internal or Management VLANs can easily reach it at
Anyone have any clues what might be going on?


The scrubbed "Show Run" is below:




Router#sho run
Building configuration...

Current configuration : 5881 bytes
!
! Last configuration change at 17:29:19 UTC Sun Jul 29 2012
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 10000
enable password XXXXXX
!
no aaa new-model
service-module wlan-ap 0 bootimage unified
!
crypto pki trustpoint TP-self-signed-769551153
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-769551153
revocation-check none
rsakeypair TP-self-signed-769551153
!
!
crypto pki certificate chain TP-self-signed-769551153
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 06750030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37363935 35313135 33301E17 0D313230 37323931 34313031
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3736 39353531
31353330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
ABDFE95A 6E96F46A F68E3F70 617FE91B F0D7410C FB360486 887AD27A 11C42B83
830B74C1 CB7C3B84 A17CA789 A869A652 64E8EAE1 8239D2EC CC9000ED E41E2CC7
B62EFA7A 4D04DBB2 CFF6F3B8 F514C846 33FFF5B6 6A1197C5 B4DD41A3 CD79136A
ACAE0FEA F6E1DA25 6F4CC77F F447D057 75B4C760 8EF78F73 CACB20A4 319848D1
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 80140D75 93F5A176
AA5A7031 8C44E7E8 E6E11049 5F80301D 0603551D 0E041604 140D7593 F5A176AA
5A70318C 44E7E8E6 E110495F 80300D06 092A8648 86F70D01 01040500 03818100
2FDC14B0 5025C0D5 406DDE45 9DA58F8B 34E9F7D4 615BAD97 84CC3411 B47BFF49
DC2387EC DD0BC859 2B48AD89 3EF4FF96 9334DFCF 493F3B36 FA902942 80BE6C98
41E9935A AFE9996E 31C64203 837FC871 3D086B3C D349628A 8E2935AE 54B5F1F2
B6C7A2A4 4EF9B57E 5334976B 7DDDAC47 0BD2E1E7 DCC619BA 23F48B95 F28C1138
quit
ip source-route
!
!
ip dhcp excluded-address 172.16.1.1 172.16.1.50
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.0.1 192.168.0.50
ip dhcp excluded-address 10.0.0.1 10.0.0.50
!
ip dhcp pool Internal
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool Guest
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 8.8.8.8
!
ip dhcp pool Management
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8
option 43 hex f104.c0a8.000a
!
ip dhcp pool DMZ
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 8.8.8.8
!
!
ip cef
ip ddns update method myupdate
HTTP
add interval maximum 1 0 0 0
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
vtp domain cisco
vtp mode transparent
username admin privilege 15 password 0 password
!
!
!
archive
log config
hidekeys
!
!
vlan 2-4
!
!
!
!
interface FastEthernet0
description Port to DMZ Computer
switchport access vlan 4
!
interface FastEthernet1
description Port in Management VLAN
!
interface FastEthernet2
description Port in Management VLAN
!
interface FastEthernet3
description Trunk Port to Switch
switchport mode trunk
!
interface FastEthernet4
description WAN port to Internet
ip ddns update foo.no-ip.biz
ip ddns update myupdate host 10.0.0.11
ip address dhcp
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description Management VLAN
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip nat enable
ip virtual-reassembly
!
interface Vlan2
description Internal VLAN
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nat enable
ip virtual-reassembly
!
interface Vlan3
description Guest VLAN
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip nat enable
ip virtual-reassembly
!
interface Vlan4
description DMZ VLAN
ip address 10.0.0.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
no ip nat service sip udp port 5060
ip nat source list 1 interface FastEthernet4 overload
ip nat source static tcp 10.0.0.11 80 interface FastEthernet4 80
!
no logging trap
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 remark ACL necessary for all internal nets to NAT overload
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 101 remark ACL to block Guest to anywhere but Internet
access-list 101 deny ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 172.16.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
access-list 102 remark ACL to block DMZ to anywhere but Internet
access-list 102 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 99 in
privilege level 15
password Jara1pa$$
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp master
ntp update-calendar
end

Router#
 
Hi,

I think that you should state which interface is inside (Fa0 -> 3) and outside (Fa4), and use ip nat inside commands.

Cheers,

y/
 
Well, I finally go this working (and Ithanks for the assistance). I went back to not not using NAT Virtual Interface, instead using plain old NAT inside and NAT outside statements, but that isn't what actually fixed it.

It turns out that the base level Internet access I had blocks many ports, including port 80. During the troubleshooting I had even suspected this and changed my webserver port to 8080 but that didn't work also.

The big clue occurred later when I happened to change the port to 8001. While it initially seemed like the web page was not loading, when I happened to check the screen (more than a minute later) the page was partially loaded!

What I believe was happening was the ISP was not only outright blocking the common server port numbers, but is also severely throttling lots (all?) other ports. But they never actually state this practice anywhere.

Once I called the ISP and upgraded to their next level of service everything started working beautifully, right on port 80.
 
Thanks for the feedback, nice to hear some good news :)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top