Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 1720; Dynamic IP; and Port Forwarding Question

Status
Not open for further replies.
jafo18301

jafo18301

IS-IT--Management
Joined
May 28, 2003
Messages
55
Location
US
I am a newbie at router configurations. The following is the running-config from my cisco router. I have a dynamic IP from an ISP that I would like to route port 80 to a specific private ip address. I'm running the firewall and nat on the router. I thought I had configured it correctly but when I try to hit the webserver by the public IP address, I still get the page cannot be displayed error on my browser. Can someone tell me what I am doing wrong?

Thanks in advance,

Jafo


Current configuration : 3413 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname
!
enable password !
memory-size iomem 25
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 10.x.x.1 10.x.x.101
!
ip dhcp pool 1
network 10.x.x.x 255.255.255.0
default-router 10.x.x.1
dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name FastEthernet_0 tcp
ip inspect name FastEthernet_0 udp
ip inspect name FastEthernet_0 cuseeme
ip inspect name FastEthernet_0 ftp
ip inspect name FastEthernet_0 h323
ip inspect name FastEthernet_0 rcmd
ip inspect name FastEthernet_0 realaudio
ip inspect name FastEthernet_0 smtp
ip inspect name FastEthernet_0 streamworks
ip inspect name FastEthernet_0 vdolive
ip inspect name FastEthernet_0 sqlnet
ip inspect name FastEthernet_0 tftp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
!
!
interface Ethernet0
description connected to Internet
no ip address
no keepalive
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
description connected to EthernetLAN
ip address 10.x.x.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip inspect FastEthernet_0 in
ip tcp adjust-mss 1452
speed auto
!
interface Dialer1
description connected to Internet
ip address negotiated
ip access-group 104 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname xxxxxxx
ppp chap password
ppp pap sent-username xxxxxxxx password
!
router rip
version 2
passive-interface Dialer1
network 10.0.0.0
no auto-summary
!
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static tcp 10.x.x.100 80 interface Ethernet0 80
ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 10.x.x.0 0.0.0.255
access-list 2 permit 10.x.x.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 deny ip any any
access-list 102 permit udp any eq rip any eq rip
access-list 102 permit tcp host 10.x.x.100 any eq www
access-list 102 permit ip host 10.x.x.100 any
access-list 102 permit tcp host 10.x.x.101 any eq www
access-list 102 permit ip host 10.x.x.101 any
access-list 102 permit tcp any any eq 7070
access-list 102 permit udp any any eq bootpc
access-list 102 permit udp any any eq bootps
access-list 102 permit tcp any any range 7648 7649
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq finger
access-list 102 permit tcp any any range ftp-data ftp
access-list 102 permit tcp any any eq 1720
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 144
access-list 102 permit udp any any eq 2049
access-list 102 permit tcp any any eq 2049
access-list 102 permit udp any gt 1023 any
access-list 102 permit tcp any gt 1023 any
access-list 102 permit tcp any any eq nntp
access-list 103 permit ip any any
access-list 104 deny ip any any
dialer-list 2 protocol ip permit
!
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password
login
line aux 0
line vty 0 4
password
login
!
end

 
Sort by date Sort by votes
access-list 104 deny ip any any

The above access-list is blocking all traffic from your Dialer1 interface. You need to add an entry for permitting access to your web server. Remember access-lists are applied from top to bottom, so you must permit access to the webserver before you deny ip any any.

access-list 104 permit tcp any any eq 80
access-list 104 deny ip any any (implicitly put there by Cisco , but you can manually add it as well)

Also, I see access-list 102 isn't applied anywhere.
 
Upvote 0 Downvote
rudeboy,
Thanks for the response. I changed my access-list to the following:

Dialer1:
ip access-group 101 in

FastEthernet0:
ip access-group 100 in

access-list 1 permit 10.1.1.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit tcp any any eq www
access-list 101 deny ip any any


Now what happens is that I cannot access the internet. Eventhough I open up the router (firewall), I still can't hit my webserver. I tried to simplify the config file to what it is now below.

What am I doing wrong? I thought I had it figured out but something is just not right. Thanks again for the help and sorry about the newbie questions.


service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco1720
!
enable password xxxxx
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 10.x.x.1 10.x.x.100
!
ip dhcp pool 1
network 10.x.x.0 255.255.255.0
default-router 10.x.x.1
dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
ip mtu adjust
!
!
!
!
!
interface Ethernet0
description connected to Internet
no ip address
no keepalive
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
description connected to EthernetLAN
ip address 10.x.x.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip tcp adjust-mss 1452
speed auto
!
interface Dialer1
description connected to Internet
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password xxxxx
ppp pap sent-username xxxxx password xxxxx
!
router rip
version 2
passive-interface Dialer1
network 10.0.0.0
no auto-summary
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.x.x.100 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 10.x.x.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit tcp any any eq www
access-list 101 deny ip any any
dialer-list 2 protocol ip permit
!
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password xxxxx
login
!
no scheduler allocate
end
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
322
Blackybear
Blackybear
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
403
badwolf1686
B
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
561
CPM86
CPM86
Zero6
  • Locked
  • Question Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
504
Zero6
Zero6
pbxcomm
  • Locked
  • Question Question
CISCO VG450
Replies
1
Views
814
nt8d09
nt8d09

Part and Inventory Search

Sponsor

Back
Top