Question

Locked

Problems with web server behind Cisco 851W router. What am I missing?

By generatorlabs ·
Please please help. Thank you for looking into this problem.

This is a somewhat newb question and I am reluctant to find out how easy this fix is but I have spent countless hours trying different config setups and I just cant seem to get it to work.

I have basically scrapped my entire configuration file and started from scratch using the TechRepublic 851/871 template.

I have a dynamic ip address for the Wan. I have a client that runs on the web server to update my DYNDNS records. No problems with address resolution.

My web server sits on the Lan side at 192.168.1.60 listening on port 80. Could someone look at this config file and tell me the correct lines I need to forward web traffic to the server?

I have tried "ip nat inside source static tcp 192.168.1.60 80 Inteface FA4 80" and I messed with the ACL's but no dice.

I am certain the web server is working and as a test I also switched SDM from listening on 8080 to 80 and I get a response from it when I try to access the domain via the web. I do realize that is not a secure channel for SDM credentials but I only did it as a test to see if I could get a response.

Here is my config:

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$vUin$z8jVWcVxL3hIVSF3.P5q55
enable password 7 141B171305072528A8
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
!
!
crypto pki trustpoint TP-self-signed-1309454896
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1309454896
revocation-check none
rsakeypair TP-self-signed-1309454896
!
!
crypto pki certificate chain TP-self-signed-1309454896
certificate self-signed 01
3082024F 308201B8 A0030311 02020101 300D0609 2A864886 F70D0101
31312F30 2D060355 04031329 494F532D 53656C56 2D536967 6E65642D
C6608620 598A14DA 65E820EF 29D603FC D8703B
quit
!
dot11 ssid GenLabs
!
dot11 ssid GenLabsGuest
vlan 20
authentication open
authentication key-management wpa
wpa-psk ascii 7 0815444B3B16071806182D162F082B253A3B25
!
dot11 ssid Genlabs
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 091D545D4B5014131818082F
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool Internal-Net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name MyDomain.local
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name MyDomain.local
lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name MyDomain.local
!
username Generatorlabs privilege 15 password 7 10420C010C141D055D
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption mode ciphers aes-ccm
!
ssid GenLabs
!
ssid GenLabsGuest
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http port 8080
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 030888130F0C2E421F
no modem enable
line aux 0
line vty 0 4
password 7 07032457110A160B46
!
scheduler max-task-time 5000
end

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Access-list

by RedShift1 In reply to Problems with web server ...

You didn't allow port 80 in your "Internet-inbound-ACL" access-list, add port tcp port 80 to be allowed.

Collapse -

Reponse To Answer

by MichelSimon In reply to Access-list

Your blog article is very interesting and fantastic, at the same time the blog theme is unique and perfect, great job!
<a href="http://www.3cpromotion.com">regali aziendali</a>

Collapse -

The config you posted

by NetMan1958 In reply to Problems with web server ...

doesn't allow port 80 traffic inbound and does not include "ip nat inside source static tcp 192.168.1.60 80 Inteface FA4 80". You are going to need both of those in the config. Just out of curiosity, how does the DYNDNS client running on your web server determine the current IP on interface FA4 on your router?

Collapse -

My thanks to you all

by generatorlabs In reply to Problems with web server ...

I originally inserted "ip nat souurce static tcp 192.168.1.60 80 interface FA4 80" and got no results. The problem was my ACL. I still had to add "permit all all eq www" in order for it to work. I am assuming this is the correct way to do this. Anybody have another method?

Netman1958, I am not exactly sure how the DYNDNS client is pulling my WAN IP address but it probably uses the same technique used when visiting a site like www.ipchicken.com. I think I am using the linux distro of 'ipupdate' and it is always spot on.

Back to Networks Forum
5 total posts (Page 1 of 1)  

Hardware Forums