Allowing Web Server access from the Internet using a Cisco 1760

[Jimtron26]

This is the first time i have used this site so "HI ALL"

I am currently sitting my CCNA exam and have recently been tasked with setting up a Cisco 1760 router on our network to allow both internet access from the LAN and also inbound internet access to a Lotus Notes Sametime Server which has an "instant meeting" facility which allows programme sharing etc

We were previously using a Zyxel router which has a table for application ports. The way we allowed connection to the server from the internet was to enter the IP address of the server against port 80. This is obvoiusly not a good idea as it leaves the network open to attack.

The goal at the moment is to get the 1760 to the same level as the Zyxel (ie using ACLs to open and close the port as needed)

The current status is that we have access to the Internet and can send/ receive emails through the 1760. The NAT is configured and ACLs set up to allow SMTP traffic on port 25.

However when i "open" port 80 using the command access-list 100 permit tcp any any eq 80 and then ask someone external to enter the web address of the server, it prompts for the routers own access password!

This is intermittent, other times the meeting facility is accessible but when "join meeting" appears, you click the button, it opens another window but does not load.

Can anyone think of a reason for this?

The ports for Lotus Sametime are 1533 and 8081 but it uses HTTP tunnelling anyway so this traffic should come through port 80

Any suggestions would be gratefully accepted

 

[TravisM]

Something is wrong witht he way you've configured NAT. Are you giving them the external interface address of the router?

Do you have a nat entry that looks like

ip nat inside source static aaa.aaa.aaa.aaa bbb.bbb.bbb.bbb

Where the a's are the internal private address of your server, and the b's are the external address that you want the world to see? Or do you only have the external IP address that's assigned to the serial interface and you're just redirecting the ports? Can you post those bits of the config?

 

[rudeboy]

Do you have this line in the config "no ip http server"? If not, the router itself will be listening on port 80. I would guess that you have one public IP address. If you have more, you could make your access list to only permit port 80 to the one server instead of the entire LAN.

 

[Jimtron26]

Thanks for the quick response.

In answer to the Travis:

The interface configured for internet access is an ATM which then uses a Dialer and Dynamic NAT. Config:

interface ATM/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aa15mux dialer
dialer pool-member 1

This then uses a dialer which is as follows:

interface dialer1
ip address <public ip address> <subnet mask>
ip access-group 122 in
no ip redirects
ip local-proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password <password>

The NAT is configured as follows:
ip local pool ourpool 192.168.42.2 192.168.42.254
ip nat pool outsidepool <public ip> <public ip> netmask 255.255.255.0
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.42.18 25 interface dialer1 25 (for email)
ip nat inside source static tcp 192.168.42.1 80 <public ip> 80

The ACL configured is
access-list 122 permit tcp any any eq smtp
access-list 122 permit tcp any any eq www
access-list 122 permit icmp any any
access-list 122 deny ip any any

sorry i had to type that out so ignore any typos!

To Rudeboy,

I have not entered the no ip http server command. Is this set by default? We have only the one private address range

Thanks for your help so far and quick responses

 

[rudeboy]

I beleive ip http server is enabled by default. You must disable it in config mode.

 

[TravisM]

I think you nailed it right off rudeboy. Jimtron try the no ip http server, if you'd like to keep the web server on, you could always move the port to 8080 or something, which would be another good test for you.

 

[Jimtron26]

thanks fellas

i`ll give this a try tomorrow in work and post the results

Cheers

 

[Jimtron26]

I have switched off ip http server and now get "page cannot be displayed" message when trying to access from the internet.

I have also added static nat command

ip nat inside source static tcp 192.168.42.68 (IP of web server) 80 interface Dialer1 80

This should redirect any http traffic to the internal IP address of the Web Server....

 

[Jimtron26]

The last NAT translation added still does not work

Just had a thought...

I think that the NAT and fa0/0 interface are using the same ACL when they need their own

I think this could be the source of my problems

I will rewrite them and try tomorrow

 

[Jimtron26]

I have changed the ACLs for NAT and fa0/0 and made amendments to static NAT translations and the web server access is now working fine when i allow port 80 traffic.

I have noticed another problem however and that is very slow internet access and file transfer. When trying to download files it is averaging around 8kbps max whereas switching back over to the Zyxel router gives around 40kbps max, which is some improvement.

I am convinced that it is as a direct result of the changes I have made. I have a live config if needed.

 

[Jimtron26]

I have enabled ip route-cache flow on the dialer interface and internet access is working fine, and downloads have increased to about 15 - 20 kbps.

ip route-cache same-interface is switched off. I have also disabled ip http server and ip http secure-server and this appears to have improved things also.

As I understand it, the ip route-cache flow command allows the interface to examine the first ip packet using access-lists. All other packets that match this one are then allowed "straight through" without being applied to the access lists.

Does anyone know if this causes a security issue?