Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




18 posts

Geek


Topic # 123190 27-Jun-2013 16:24
Send private message

I'm in need of a little IOS help on a problem that has me stumped on my home network.

I have a Cisco 887 ADSL modem / router / firewall.
I have the modem working fine and can get on the net.

I have several servers on the inside of my network which I need to get traffic to from the net. 4 different web servers which will each run on different ports, plus some cameras and home automation gear on some oddball ports. All in all, nothing special.

Now here is the strange part, I can port forward to some of the internal IP addresses but not others.
My internal network is 192.168.0.0/24

My 887 is on 192.168.0.3
I have webservers on 192.168.0.1, 192.168.0.2 and 192.168.40 on port 80.
Then 192.168.0.41 has two https sites listening on port 7443 and 8443

Now, I can set up a NAT port forward absolutely fine that goes from my dynamic internet IP address on to 192.168.0.1 port 80.
I can also change in internet listening port to 81, 8080, 7443 and 8443 and these all work fine.
This tells me the firewall is fine and there are no issues with the port ACLs.

I can also setup a forward to the web admin of the 887 (192.168.0.3) listening on port 80, or 81 etc and that works fine also. So thats two internal addresses working fine.

However when I change the rule to point to any one of the other servers ie 192.168.0.40 or 192.168.0.2 or 192.168.0.41 it does not get through to the server. The port appears closed from the internet.

As soon as I put it back to 192.168.0.1 or 3, it works again.
I can ping both servers from the CLI on the router.
All the webservers are running inside the same virtual host on the same piece of cat5.
Its running through a cisco switch with nothing special in the config.

I have tried adding pretty loose NAT ACL's
I have pretty much disabled the firewall

My full router config is here :
http://pastebin.com/SzCNQMN1

The lines of interest are here:

router rip

version 2
network 192.168.0.0
no auto-summary
!
no ip classless
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 7443
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended DNS
remark CCP_ACL Category=128
permit ip any any
ip access-list extended DNS1
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended filter_incoming
remark CCP_ACL Category=17
permit tcp any any eq 81
permit tcp any any eq www
permit udp host 202.27.156.72 eq domain any
permit udp host 202.27.158.40 eq domain any
remark Auto generated by CCP for NTP (123) 130.123.2.98
permit udp host 130.123.2.98 eq ntp any eq ntp
remark Auto generated by CCP for NTP (123) 192.168.0.1
permit udp host 192.168.0.1 eq ntp any eq ntp
remark 7443
permit tcp any eq 7443 any eq 7443
permit ip any any
ip access-list extended terminal_access
remark CCP_ACL Category=17
permit tcp 120.136.4.96 0.0.0.15 any eq 22
permit tcp any any eq 22
deny tcp any any
!
logging esm config
logging trap debugging
access-list 1 remark CCP_ACL Category=18
access-list 1 permit 192.168.0.1
access-list 1 permit 192.168.0.2
access-list 1 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list CCP_ACL Category=0
access-list 101 permit ip any host 192.168.0.1
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.0.2
no cdp run



Any suggestions on what to try next, its had me going round and round in circles for several weeks now and I'm sure when I figure out what it is, I'll be able to get all the other bits working.
Thanks in advance.






Create new topic
2027 posts

Uber Geek
+1 received by user: 791

Trusted

  Reply # 846322 27-Jun-2013 17:19
Send private message

Couple of things

Why do you have "no ip classless"

Also, what lines are you adding changing? Are you modifying the access lists at the same time to do this?



18 posts

Geek


  Reply # 846327 27-Jun-2013 17:32
Send private message

Thanks heaps for your suggestions...

I'm using cisco config professional which inserts a fair amount of stuff, I'm not a command line guru but have a rough idea, still learning my way with IOS.

Just looked up no ip classless and can see how that may be an issue, will turn if off now and try.

This line works:
ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 7443
so does this
ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 80

But this line does not not:
ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80

Just tried ip classless and still the same.
also added
ip route 192.168.0.0 255.255.255.0 Vlan1 permanent
just to make sure it wasn't a route issue.

updated config is here:
http://pastebin.com/1XZEQwTm

 
 
 
 


2027 posts

Uber Geek
+1 received by user: 791

Trusted

  Reply # 846333 27-Jun-2013 18:04
Send private message

I don't do much Cisco these days either, certainly I've never done NAT on one.  So forgive me, I'm flying a bit blind myself.  No doubt someone with some clue will come along and spot the obvious problem, but until then I'll offer a few more suggestions and we'll see what happens...

You have this policy map:

policy-map type inspect ccp-pol-outToIn
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-http-2
  pass
 class class-default
  pass


It's referenced here:

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn

What's interesting is you reference http twice.  Now I don't know cisco, but I wonder if, because sdm-nat-http-1 only allows 0.1, if it's getting denied there, so never bothering to inspect it in the second stanza.  The fact this was generated by a Cisco tool probably means it's perfectly valid, but try this and see if it helps

access-list 101 permit ip any host 192.168.0.2







18 posts

Geek


  Reply # 846337 27-Jun-2013 18:21
Send private message

Thanks, yes, I'm a bit the same, I've done pix firewalls before but never an all in one device with NAT.
Its insanely powerful, but somewhat confusing as there are so many layers.

I wasn't sure if I needed one rule for each but I followed your recommendation and added the entry under the first http policy map but still no go.

now reads:

logging esm config
logging trap debugging
access-list 1 remark CCP_ACL Category=18
access-list 1 permit 192.168.0.1
access-list 1 permit 192.168.0.2
access-list 1 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.0.1
access-list 101 permit ip any host 192.168.0.2
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.0.2
no cdp run

most of the examples I can find online are incomplete and there isn't a nice big picture guide on what you need to do to get NAT working on an 880 series.

41 posts

Geek


  Reply # 846369 27-Jun-2013 19:39

Hi there,

If you want four websites available at the same time from the Internet, you must assign separate ports externally for each website (as it shares the same public ip). You should map each website with a separate Nat statement also.

If you use the same external port (I.e. port 80) for different internal websites, it will hit the first rule that matches on port 80 and never "hit" the second rule.

Please PM me if you need any more information.

2027 posts

Uber Geek
+1 received by user: 791

Trusted

  Reply # 846371 27-Jun-2013 19:39
Send private message

Join the geekzone chat (link up the top of the page, or if you know how to use IRC connect to irc.synirc.net channel #geekzone) and have a chat to me there. Easier than back and forth here.



18 posts

Geek


  Reply # 846375 27-Jun-2013 19:45
Send private message

Dinuir: Hi there,

If you want four websites available at the same time from the Internet, you must assign separate ports externally for each website (as it shares the same public ip). You should map each website with a separate Nat statement also.

If you use the same external port (I.e. port 80) for different internal websites, it will hit the first rule that matches on port 80 and never "hit" the second rule.

Please PM me if you need any more information.



Hi thanks, yes, I am aware that this will not allow both to work at the same time yet.

I'm not up to that point yet, I just want to get each one working individually on the same port before putting each one on a different port.
The problem is that only two internal addresses work when I swap where the NAT rule points and three do not.

ie, when I point the rule to IP X it works, when I change that same rule to point to another routable address, it doesn't.



18 posts

Geek


  Reply # 846426 27-Jun-2013 21:07
Send private message

muppet: Join the geekzone chat (link up the top of the page, or if you know how to use IRC connect to irc.synirc.net channel #geekzone) and have a chat to me there. Easier than back and forth here.



Thanks for your help tonight guys, I've locked myself out of the router now trying to expose the management interface to the internet so I think thats me for the night. I'll reload it tomorrow and get back to this point again and read up on the links posted.

Dinuir, if you could track down that working config, that would be brilliant. I'm sure its something stupid and small and if I had a working config to compare to that might make it a bit easier.

Cheers Guys, greatly appreciate your expertise!!!



100 posts

Master Geek
+1 received by user: 9


  Reply # 846430 27-Jun-2013 21:12
Send private message

Hi,

Can you telnet from the router to the webserver - eg. telnet 192.168.0.40 80

Also I always put a deny log at the end of any access lists so I can do a show log and see anything that is being blocked. eg. access-list 102 deny ip any any log

Also can you see the NAT translations when you do a
sh ip nat trans tcp






18 posts

Geek


  Reply # 846785 28-Jun-2013 15:27
Send private message

Hi all,

just to report back, i have it going now.
It turned out to be a gateway issue on the destination servers, for some reason they were caching an old gateway entry. A reboot of the servers fixed it.

Many thanks for all your help with this. I'm going to try locking the config down now.

2027 posts

Uber Geek
+1 received by user: 791

Trusted

  Reply # 846787 28-Jun-2013 15:29
Send private message

Excellent, good to hear! Glad you got it sorted.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.