Cisco 800 series remote management issue

[TrojanSquirrel]

Hi,

I have a Cisco 800 series with 20 PCs running behind it and one cobalt raq 4 server. I have set up the pat on the router and the raq is running nicely hosting a couple of sites as a backup for our main servers off site.

The only trouble is that I need to have the remote management set up to access from the wan side and on the lan side still have the sites display. Currently on the lan side I get the router gui.

I'm not a cisco guru, so any help would be much appreciated!




Regards,

Rob

http://www.transcom.net

 

[burtsbees]

Do you want to simply access the GUI of the router from the WAN, or do you want to set up a VPN?
Nice .gif by your signature---ha ha. I like the gory stuff myself.

Burt

 

[TrojanSquirrel]

Hi Burt,

What I need to do (I think!) is to change the default port for the GUI on the Cisco so that it can be accessed from LAN and WAN side on a specific port, and therefore have the sites on the Cobalt display from either side as well (fyi: the DNS for the sites on the cobalt is at another data center)

At the moment I can telnet into the Cisco from the WAN and port 80 is pat to the Cobalt so externally all is exactly as I want.... All ok there!

From the Lan side I get the router login screen when I point my browser to the sites on the Cobalt... Not what I want!


Regards,

Rob

http://www.transcom.net

 

[burtsbees]

Post a running config...I see now---I thought you were saying you want to access the router mgmt screen, but what you want and are not getting is the server mgmt screen, from the LAN. You think it may be an issue of the internal address pointing, or PAT'd, the wrong way. Right? Please post a "sh run" from the router.

Burt

 

[TrojanSquirrel]

OK, I've been reading my posts back to myself and now even I'm confused! This is what I'm getting with the current setup through IE:

From WAN (remote machine via VNC):

1: <router ip> - Routes to the :444 cobalt login
2: <router ip:80> - Routes to the :444 cobalt login
3: <router ip:8888> - Unable to display page (this port is the port I assigned for the router http server and I presume it is firewalled still)
4: <domain hosted on cobalt> - Resolves to router ip and displays website from cobalt.

From LAN:

1: <router ip> - Unable to display page (no http server on standard port I presume)
2: <router ip:80> - Unable to display page (as above)
3: <router ip:8888> - Loads Cisco web setup page. Checks IOS and then fails with unable to communicate (router firewall again I presume).
4: <domain hosted on cobalt> - Unable to display page.

What I need to achieve is for the domains hosted on the cobalt LAN side to display from the LAN as the do from outside, and for the GUI web setup to be accessed from the WAN side.

I presume that as port 80 is PAT to the Cobalt that to access the web setup from the WAN it needs to be on a different port, so I changed that to :8888

But I still don't understand why the sites don't show on the LAN side.

Regards,

Rob

http://www.transcom.net

 

[TrojanSquirrel]

Building configuration...

Current configuration : 5439 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname surfers
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 _________________________________
!
no aaa new-model
!
resource policy
!
!
!
ip dhcp excluded-address 10.10.10.107
ip dhcp excluded-address 10.10.10.104
ip dhcp excluded-address 10.10.10.103
ip dhcp excluded-address 10.10.10.102
ip dhcp excluded-address 10.10.10.101
ip dhcp excluded-address 10.10.10.80
ip dhcp excluded-address 10.10.10.66
!
!
ip cef
ip name-server 195.62.200.6
ip name-server 212.57.232.6
ip flow-cache timeout active 1
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
username Router password 7 __________________________________
username ___________ privilege 15 password 7 ____________________
____________________
username CRWS_Venky privilege 15 password 7 ______________________
___________________
!
!
!
!
!
interface Ethernet0
bandwidth 10000
ip address 10.10.10.1 255.255.255.0
ip access-group 122 out
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
bandwidth 8000
no ip address
ip flow ingress
ip flow egress
ip route-cache flow
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
bandwidth 896
ip address negotiated
ip access-group 111 in
ip flow ingress
ip flow egress
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ____________________
ppp chap password 7 ______________________
ppp pap sent-username ____________________ password 7 ______________________
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http port 8888
no ip http secure-server
ip flow-export source Ethernet0
ip flow-export version 5
ip flow-export destination 10.10.10.2 9996
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.66 5003 interface Dialer1 5003
ip nat inside source static tcp 10.10.10.80 5800 interface Dialer1 5800
ip nat inside source static tcp 10.10.10.80 5900 interface Dialer1 5900
ip nat inside source static tcp 10.10.10.101 101 interface Dialer1 101
ip nat inside source static tcp 10.10.10.102 102 interface Dialer1 102
ip nat inside source static tcp 10.10.10.103 103 interface Dialer1 103
ip nat inside source static tcp 10.10.10.104 104 interface Dialer1 104
ip nat inside source static tcp 10.10.10.107 444 interface Dialer1 444
ip nat inside source static tcp 10.10.10.107 80 interface Dialer1 80
ip nat inside source static tcp 10.10.10.107 21 interface Dialer1 21
ip nat inside source static tcp 10.10.10.107 110 interface Dialer1 110
ip nat inside source static tcp 10.10.10.107 25 interface Dialer1 25
!
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 444
access-list 111 permit tcp any any eq 104
access-list 111 permit tcp any any eq 103
access-list 111 permit tcp any any eq 102
access-list 111 permit tcp any any eq hostname
access-list 111 permit tcp any any eq 5900
access-list 111 permit tcp any any eq 5800
access-list 111 permit tcp any any eq 5003
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server ifindex persist
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end


Regards,

Rob

http://www.transcom.net

 

[plshlpme]

so if i understand you correctly...

internally your lan clients do a dns lookup on the dns name of the cobalt server.. which is a public external ip
then your clients will try to access that page via the external ip.

this of course breaks with your nat because the clients are internal.

couple solutions would be

a: use an internal dns server to map to the internal ip...
b: modify the host file on the client machines to use the internal ip and have no need to go through the router...


if you type in the ip address on your dialer:8888 frmo the wan i dont see why you shouldn't see the webpage as you do internally. there is no nat statements for that port so it should try to access it on the router itself.
just a little thing.. are you typing http:// before the ip?

you will probably want to put an access-list on for access to the http server too...

here is a link to help

http://www.cisco.com/univercd/cc/td...2/122newft/122t/122t15/fthttp1s.htm#wp1056169

 

[TrojanSquirrel]

Pretty much, yes.

The lan clients do a DNS lookup for the domains on the Cobalt via our DNS servers at another location that point back to the public IP of the router that has port 80 PAT to the Cobalt server 2m behind me! It's driving me nuts!!!!

As for the http server on the Cisco router.... ARGH! I have changed it back to port 80 and I can now access the websetup from outside. The upshot of this is that all the internal clients now go to the websetup when the URL of a site on the Cobalt server is entered. I just don't see why changing the default http server to 8888 caused such a problem.... Could the Cisco have firewalled itself? I did a port scan and it reported that 8888 was an open port.

Regards,

Rob

http://www.transcom.net

 

[burtsbees]

I thought I was confused before...
Perhaps this is a CBAC issue, like PAM? Port Address Mapping?
Here's a link in case this is the issue. I feel like the guy in your cartoon after reading this, and it sounds like you do too!!

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfpam.htm

good luck.

Burt

 

[TrojanSquirrel]

That cartoon is on the server that is the issue!

I guess that proves that DNS is not the issue right?

Thanks for all your help so far, and I will look into your link tomorrow and post back (GMT here)

Thanks again,

Regards,

Rob

http://www.transcom.net

 

[plshlpme]

if you view this stie internally can you see the picture?

 

[TrojanSquirrel]

No, The GIF doesn't show when viewing this site from the LAN side.

Regards,

Rob

http://www.transcom.net

 

[burtsbees]

Are you typing something like

http://xxx.xxx.xxx.xxx

8888 and xxx.xxx.xxx.xxx is the public ip address of the server, and 8888 is the tcp port you want to use? Also, if this is the case, to understand you correctly, are you getting a different result from the internal LAN vs. externally, and you are getting the desired result only from the outside?
CBAC is like a dynamic access list, and you PAM to address, or map, ports for the CBAC entries. An example would be
router(config)#ip port-map http 8888
Also, the acl 122 is denying all tcp traffic, or it looks like it to me. Only ip traffic is allowed---there is an implicit deny at the end. You have acl 122 deny tcp any any eq telnet, but it also denies everything else. So, delete the acl 122, rewrite it the same, and add this...
router(config)access-list 122 permit tcp any any
The tcp traffic coming from your LAN has to hit the router and bounce off to get to the server, but only ip traffic is being allowed thru. That's what I think, and I am very tired, so I could be way off.

Burt

 

[TrojanSquirrel]

Thanks for all your help guys.

I finally gave in and took the server to our off site data center. It'll be much happier there anyway!

Thanks again.



Regards,

Rob

http://www.transcom.net

 

[burtsbees]

Can you give me a copy of that cartoon? I am at burt_bees@yahoo.com

Thanks.

Burt

 

[TrojanSquirrel]

Hi Burt,

Just right click on the gif and save it.

R.

 

[burtsbees]

Ha ha---that's what I was doing, saving as a gif, but italways saved it as a non-moving pic. I got it now.

Burt