Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cisco 837, web server problem

Status
Not open for further replies.
Adams65

Adams65

Technical User
Aug 17, 2009
25
AU
I am not sure that this is the correct forum for this question.

I have a Cisco 837 router accepting the ADSL, then I have a 8 port hub hanging off one of the four ethernet ports in the cisco837.
Off the hub I have a 2wire wireless modem configured in bridge mode to allow 3 wireless laptops internet access.
4 pc's also connect to the hub.
All systems have access to the internet at present.

currently i think the cisco 837 is handling dhcp as all of my systems have an ip address within the range 10.0.0.0 to 10.0.0.10. My Cisco router is 10.0.0.111 and my wireless access (2wire) device is 10.0.0.138.

What I am trying to do is assign a static IP to my linux web server and isolate it as a public facing system.
So with ubuntu server and apache php and mySQL installed and operating I have configured everthing to the point at which I think it should work but ...

when I enter my external static IP into a browser I get my cisco router admin page popping up.

could anyone help me with the final stages of my configuration?

I have obviously done or not done something simple.

in theory I figure what I need to do is set the web server's internal ip address as static (which I have tried to do) but then the router needs to be reconfigured and thats where I am stumped. maybe it's port forwarding?



 
Sort by date Sort by votes
Yes---

Say the Ubuntu is at 10.0.0.16, and the router's public interface is dialer0...not sure what DNS is, but if it a web server at port 80...

router(config)#ip nat inside source static tcp 10.0.0.16 80 interface dialer0 80

Post a config if this example does not work---fill in the ip adds and port number with your own info.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Hi and thanks again for replying

I'm going to include a few files from my ubuntu system in the hopes that you will see where I have gone wrong.
I know the solution is staring straight at me.

I still get my router admin when I type my static IP 121.223.214.219 and if everything was configured properly shouldn't I be getting the html file in my root

and when I type http: //localhost or http: // locally in a browser i get the "It Works!" apache html confirmation page (so I know apache is set up right.)

When you try to access it from another machine on a seperate internet connection...nothing

here's my interfaces file from ubuntu:

auto lo
iface lo inet loopback

auto etho
iface eth0 inet static
address 10.0.0.6
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
gateway 10.0.0.111

Host file from ubuntu:
121.223.214.219 127.0.0.1 localhost
127.0.0.1 attackinfo
10.0.0.6 attackinfo.com.au

and heres my current router configuration (sh run)


Current configuration : 3307 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 warnings
enable secret 5 $1$oZul$p8Hdf3HomjaYl8moQVVX/.
!
username xxxx privilege 15 password 0 xxxxxxxx
ip subnet-zero
ip name-server 61.9.194.49
ip name-server 61.9.134.49
ip dhcp excluded-address 10.0.0.111
!
ip dhcp pool dpool
network 10.0.0.0 255.255.255.0
default-router 10.0.0.111
dns-server 61.9.194.49 61.9.134.49
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 10.0.0.111 255.255.255.0
ip access-group 100 in
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address 121.223.214.219 255.255.255.0
ip access-group 101 in
ip nat outside
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
ppp chap hostname attack@bigpond.net.au
ppp chap password 0 xxxxxxxx
ppp pap sent-username attack@bigpond.net.au password 0 xxxxxxxx
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.6 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 121.223.214.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 61.9.134.49 eq domain host 121.223.214.219
access-list 101 permit udp host 61.9.194.49 eq domain host 121.223.214.219
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host 121.223.214.219 echo-reply
access-list 101 permit icmp any host 121.223.214.219 time-exceeded
access-list 101 permit icmp any host 121.223.214.219 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password xxxxxx
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

When I had the web server set up on Windows I do remember that DNS had the same IP address as the old 2wire router which now is just a wireless access point but still has 10.0.0.138

Any help or suggestions you can give would be greatly appreciated
 
Upvote 0 Downvote
I noticed a couple of thing with your config, starting with the dhcp configuration. All of the devices that you have configured statically need to be excluded the same you have the router ip address listed. This may cause duplicate addresses being given out since you used a /24 mask in your network command. Also, you have acl 101 applied to your Dialer1 interface (good idea), but you do not permit the web traffic through it. You need to added the following line for you server :access-list 101 permit tcp any host 10.0.0.6 eq 80 to allow access from outside. The nat command mentioned earlier will take care of the traffic once you permit it through the 101 acl.

CCNA, CCNP, Sec+
 
Upvote 0 Downvote
Thank for the reply.


i still get my router admin page when i enter my static ip into a browser

I have tried all suggestions and here is my config now:
Any other suggestions.

thankyou again for the help so far

Current configuration : 3307 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 warnings
enable secret 5 $1$oZul$p8Hdf3HomjaYl8moQVVX/.
!
username xxxx privilege 15 password 0 xxxxxxxx
ip subnet-zero
ip name-server 61.9.194.49
ip name-server 61.9.134.49
ip dhcp excluded-address 10.0.0.111
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.2
ip dhcp excluded-address 10.0.0.3
ip dhcp excluded-address 10.0.0.6
ip dhcp excluded-address 10.0.0.7
ip dhcp excluded-address 10.0.0.9
!
ip dhcp pool dpool
network 10.0.0.0 255.255.255.0
default-router 10.0.0.111
dns-server 61.9.194.49 61.9.134.49
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 10.0.0.111 255.255.255.0
ip access-group 100 in
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address 121.223.214.219 255.255.255.0
ip access-group 101 in
ip nat outside
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
ppp chap hostname attack@bigpond.net.au
ppp chap password 0 xxxxxxxx
ppp pap sent-username attack@bigpond.net.au password 0 xxxxxxxx
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.6 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 121.223.214.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 61.9.134.49 eq domain host 121.223.214.219
access-list 101 permit udp host 61.9.194.49 eq domain host 121.223.214.219
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host 121.223.214.219 echo-reply
access-list 101 permit icmp any host 121.223.214.219 time-exceeded
access-list 101 permit icmp any host 121.223.214.219 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 permit tcp any host 10.0.0.6 eq www
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password xxxxxx
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

 
Upvote 0 Downvote
Take acl100 off of e0...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Thanks for your help.

Could you be a little more specific please?
I can't find acl 100 anywhere.

I know you were probably abbreviating but.. I am not sure what to remove or from where.

Interface eth0 has:
ip access-group 100 in

is that what I should remove?

please help!
 
Upvote 0 Downvote
thankyou greenemk aswell I followed your advice and I am sure it will have some significance later. The only thing thats happened it seems when I added the other systems ip's to the excluded-address list though is that the router has issued them all different IP's.

anyway I'm going to try and remove the line

ip access-group 100 in

from the eth0 interface because its the closest thing I can find that fits burtsbees advice (to take acl100 off of eth0)

still awaiting any further advice. Thankyou again.
 
Upvote 0 Downvote
Yes, that's it.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Thanks again everyone for the help.
Unfortunately I still have the problem.

I have looked into other possible causes i.e: iptables is filtering inbound packets for unestablished connections (ubuntu), or the ISP is filtering, but the router not forwarding connection looks like the cause.

anymore help?
 
Upvote 0 Downvote
Looks like SDM has done it again---it built CBAC backwards. Remove acl 101 from the dialer interface. We'll apply CBAC properly if that works.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Hi burtsbees,
Thanks for your help.

Unfortuanately that didnt change anything here locally.
i.e. When I enter in my static IP in a browser on the server
i get the password access screens to my routers admin.

Here is my config now after all of the changes. Hope you can keep helping me!!

no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 10.0.0.111 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address 121.223.214.219 255.255.255.0
ip nat outside
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
ppp chap hostname attack@bigpond.net.au
ppp chap password 0 xxxxxxxx
ppp pap sent-username attack@bigpond.net.au password 0 xxxxxxxx
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.6 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 121.223.214.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 61.9.134.49 eq domain host 121.223.214.219
access-list 101 permit udp host 61.9.194.49 eq domain host 121.223.214.219
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host 121.223.214.219 echo-reply
access-list 101 permit icmp any host 121.223.214.219 time-exceeded
access-list 101 permit icmp any host 121.223.214.219 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 permit tcp any host 10.0.0.6 eq www
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password xxxxxx
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end


Thank you.
 
Upvote 0 Downvote
your router is running its own HTTP...
remove it:

no ip http server
no ip http secure-server

see if that works ...

im a bit confused, do you also get the router's SDM site when you type ?
 
Upvote 0 Downvote
i get:
A username and password are being requested by The site says: "level_15_access"

i enter my router password then get some web based access to my router. its not sdm

when i type localhost i get "It Works!"
when i type www. attackinfo.com.au i get "It Works!"

on my last post i only posted the second half of my config by mistake but the rest is further back in the thread anyway.

i removed http server as you suggest and now i get "failed to connect" when i go to 121.223.214.219 instead of the router password access screen.

right now, unfortunately, i do not have the ability to test from a different internet connection but someone else could test it and post the result...

thanks
ill let you know how it went as soon as i can test it


And burtsbees: Manual CBAC? and how do i repair what SDM has done, (i only used it to configure the firewall) you said it built something backwards? thanks for the help

thanks everyone
 
Upvote 0 Downvote
As far as CBAC goes, it uses all those "ip inspect" commands, and works with any acls applied to the same interface the firewall is applied to. I have to re-read my notes, but there is an acl inbound on the INSIDE interface to where only outbound traffic is allowed back in, like the "established" keyword at the end of an acl. SDM has a tendency to confuse the user a bit sometimes and thus the CBAC firewall can get built backwards. When I return to work, I will review my notes---drawing a blank right now...

You don't use static NAT for an inside access to an inside server---it is either static NAT for outside access-in or no static NAT for inside access---it cannot work both ways like you might think. Please clarify your needs---outside access in, inside access, or both.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
To expand, you enter the public IP from the outside, and the router will NAT it (port forward) to the proper application through the specified port. From the inside, you must use the private IP address.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 deny ip any any log

int di0
ip inspect SDM_LOW in
int e0
ip inspect _SDM_LOW in

This is what Cisco would recommend. The firewall config placed the wrong acl (or a backwards one) on interface e0 without placing the ip inspect inbound on it. The way I have typed out, redoing acl100 (no access-list 100, then re-doing it), traffic on the inside is allowed out, and the firewall blocks tcp syn and syn-ack packets if CBAC has no record of the tcp session. In other words, traffic MUST initiate from the inside, and CBAC inspects the application layer and layer 4 for truly initiated TCP sessions (good ones). In the acl 101, you must specify traffic that is allowed in for servers on the inside, I.E. web servers (access-list 101 permit tcp any host x.x.x.x eq
/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Burtsbees thanks for your help and direction. I felt like we were almost getting somewhere with configuring the router to allow external access to my webserver... dont give up on it just yet!

imbadatthis suggested I turn off the ip http server and secureserver which I did. The router admin password access screen now does not appear when I type my public static ip as it used to. I now get "failed to connect" testing internally and "page not found" externally.

I have tried your latest suggestions but was unsure If I should be removing "access-list 100 permit ip any any" as one of your suggested config lines (access-list 100 deny ip any any log) seems to contradict it.

I left it in anyway. Here's my config now:
Current configuration : 3487 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 warnings
enable secret 5 $1$oZul$p8Hdf3HomjaYl8moQVVX/.
!
username xxxx privilege 15 password 0 xxxxxx
ip subnet-zero
ip name-server 61.9.194.49
ip name-server 61.9.134.49
ip dhcp excluded-address 10.0.0.111
ip dhcp excluded-address 10.0.0.6
!
ip dhcp pool dpool
network 10.0.0.0 255.255.255.0
default-router 10.0.0.111
dns-server 61.9.194.49 61.9.134.49
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 10.0.0.111 255.255.255.0
ip nat inside
ip inspect SDM_LOW in
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address 121.223.214.219 255.255.255.0
ip nat outside
ip inspect SDM_LOW in
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
ppp chap hostname xxxx@xxxx.xxx
ppp chap password 0 xxx
ppp pap sent-username xxxx@xxxx.xxx password 0 xxx
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.6 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip http authentication local
no ip http secure-server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 121.223.214.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 deny ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 61.9.134.49 eq domain host 121.223.214.219
access-list 101 permit udp host 61.9.194.49 eq domain host 121.223.214.219
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host 121.223.214.219 echo-reply
access-list 101 permit icmp any host 121.223.214.219 time-exceeded
access-list 101 permit icmp any host 121.223.214.219 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 permit tcp any host 10.0.0.6 eq www
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password xxxxx
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end


i not sure what else to do.
i have reloaded with this config but cannot test it externally.
i'll leave it on so you can try my satic ip

thanks for the help
 
Upvote 0 Downvote
Burtsbees thanks for your help and direction. I felt like we were almost getting somewhere with configuring the router to allow external access to my webserver... dont give up on it just yet!

imbadatthis suggested I turn off the ip http server and secureserver which I did. The router admin password access screen now does not appear when I type my public static ip as it used to. I now get "failed to connect" testing internally and "page not found" externally.

I have tried your latest suggestions but was unsure If I should be removing "access-list 100 permit ip any any" as one of your suggested config lines (access-list 100 deny ip any any log) seems to contradict it.

I left it in anyway. Here's my config now:
Current configuration : 3487 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 warnings
enable secret 5 $1$oZul$p8Hdf3HomjaYl8moQVVX/.
!
username xxxx privilege 15 password 0 xxxxxx
ip subnet-zero
ip name-server 61.9.194.49
ip name-server 61.9.134.49
ip dhcp excluded-address 10.0.0.111
ip dhcp excluded-address 10.0.0.6
!
ip dhcp pool dpool
network 10.0.0.0 255.255.255.0
default-router 10.0.0.111
dns-server 61.9.194.49 61.9.134.49
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 10.0.0.111 255.255.255.0
ip nat inside
ip inspect SDM_LOW in
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address 121.223.214.219 255.255.255.0
ip nat outside
ip inspect SDM_LOW in
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
ppp chap hostname xxxx@xxxx.xxx
ppp chap password 0 xxx
ppp pap sent-username xxxx@xxxx.xxx password 0 xxx
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.6 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip http authentication local
no ip http secure-server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 121.223.214.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 deny ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 61.9.134.49 eq domain host 121.223.214.219
access-list 101 permit udp host 61.9.194.49 eq domain host 121.223.214.219
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host 121.223.214.219 echo-reply
access-list 101 permit icmp any host 121.223.214.219 time-exceeded
access-list 101 permit icmp any host 121.223.214.219 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 permit tcp any host 10.0.0.6 eq www
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password xxxxx
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end


i not sure what else to do.
i have reloaded with this config but cannot test it externally.
i'll leave it on so you can try my static ip

thanks for the help
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
247
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
238
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
225
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
237
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
293
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top