«

Hi,

I have been trying to get my 837 onto the Internet and opening a few
ports so that the webserver can be reached from the outside world, but
for some reason no traffic will pass the NAT...

I can get onto the Internet fine, but no machine can reach the webserver
on the inside...

Can someone please take a look at my config and tell me what goes wrong
here?

Thanks,

Arnoud

PS: I know, it will need some more tuning and closing down, but I want
to get it running first...


version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco837
!
enable password XXXXXXXX
!
username XXXXXXXX privilege 15 secret 5 XXXXXXXX
username XXXXXXXX privilege 15 password 0 XXXXXXXX
clock timezone Eindhvn 1
no aaa new-model
ip subnet-zero
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
bridge irb
!
interface Ethernet0
ip address 10.210.6.249 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
no keepalive
hold-queue 100 out
!
interface ATM0
no ip address
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXXXXX password 0 XXXXXXXX
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 212.206.95.0 255.255.255.0 10.210.6.254
!
ip http server
ip http secure-server
!
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
no-alias
ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
no-alias
!
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 120 0
login local
transport preferred all
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
sntp server 17.254.0.28
end

--
Please use my first and last name in the address & remove '.invalid'
Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'

Could the "ip http server" command be causing this issue? ie is the
router attempting to intercept the incoming http request?

Regards,
Steve
www.networking-forum.com

www.networking-forum.com <> wrote:

> Could the "ip http server" command be causing this issue? ie is the
> router attempting to intercept the incoming http request?

Ah, no, I already turned that off, but I tried it with a lot of
different inbound ports as well; same problem...

Arnoud

--
Please use my first and last name in the address & remove '.invalid'
Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'

I do not too much about Dialer interfaces but it looks OK, and also the
NAT. I wonder if your ISP knows the public IP that you are assigning
staticaly to the webserver with the NAT:

ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
no-alias
ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
no-alias

What I mean, it is if your ISP have a route to the ext-ip to your
router.

-as

"Arnoud Helmantel" <> wrote in message
news:1gx6shp.1q45ioz1nnqt86N%myFirstNam@theLastHer e.com.invalid...
> Hi,
>
> I have been trying to get my 837 onto the Internet and opening a few
> ports so that the webserver can be reached from the outside world, but
> for some reason no traffic will pass the NAT...
>
> I can get onto the Internet fine, but no machine can reach the webserver
> on the inside...
>
> Can someone please take a look at my config and tell me what goes wrong
> here?
>
> Thanks,
>
> Arnoud
>
> PS: I know, it will need some more tuning and closing down, but I want
> to get it running first...
>
>
> version 12.3
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname cisco837
> !
> enable password XXXXXXXX
> !
> username XXXXXXXX privilege 15 secret 5 XXXXXXXX
> username XXXXXXXX privilege 15 password 0 XXXXXXXX
> clock timezone Eindhvn 1
> no aaa new-model
> ip subnet-zero
> !
> no ip domain lookup
> ip ips po max-events 100
> no ftp-server write-enable
> !
> bridge irb
> !
> interface Ethernet0
> ip address 10.210.6.249 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> no ip route-cache
> no keepalive
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> no ip route-cache
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 0 8/48
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> !
> interface FastEthernet1
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet2
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet3
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet4
> no ip address
> duplex auto
> speed auto
> !
> interface Dialer0
> ip address negotiated
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> ppp authentication pap callin
> ppp pap sent-username XXXXXXXX password 0 XXXXXXXX
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
> ip route 212.206.95.0 255.255.255.0 10.210.6.254
> !
> ip http server
> ip http secure-server
> !
> ip nat inside source list 101 interface Dialer0 overload
> ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
> no-alias
> ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
> no-alias
> !
> access-list 101 permit ip any any
> dialer-list 1 protocol ip permit
> !
> !
> control-plane
> !
> !
> line con 0
> exec-timeout 120 0
> no modem enable
> transport preferred all
> transport output all
> stopbits 1
> line aux 0
> transport preferred all
> transport output all
> line vty 0 4
> exec-timeout 120 0
> login local
> transport preferred all
> transport input telnet ssh
> transport output none
> !
> scheduler max-task-time 5000
> sntp server 17.254.0.28
> end
>
> --
> Please use my first and last name in the address & remove '.invalid'
> Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'

What do you think about using the Web set-up interface (CRWS)? What you want
to do could be sorted out in a couple of minutes using CRWS! Or is that
'cheating'?!

Regards
SW

S W <> wrote:

> "Arnoud Helmantel" <> wrote in message
> news:1gx6shp.1q45ioz1nnqt86N%myFirstNam@theLastHer e.com.invalid...
> > Hi,
> >
> > I have been trying to get my 837 onto the Internet and opening a few
> > ports so that the webserver can be reached from the outside world, but
> > for some reason no traffic will pass the NAT...
> >
> > I can get onto the Internet fine, but no machine can reach the webserver
> > on the inside...
> >
> > Can someone please take a look at my config and tell me what goes wrong
> > here?
> >
> > Thanks,
> >
> > Arnoud
> >
> > PS: I know, it will need some more tuning and closing down, but I want
> > to get it running first...
> >
> >
> > version 12.3
> > no service pad
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
>
> What do you think about using the Web set-up interface (CRWS)? What you want
> to do could be sorted out in a couple of minutes using CRWS! Or is that
> 'cheating'?!
>
> Regards
> SW

Hah, good idea, but... There is no way I have found that it will run in
a browser under Mac OS X... It might work with Windows, but alas...

Arnoud

--
Please use my first and last name in the address & remove '.invalid'
Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'

arturo.servin <> wrote:

> I do not too much about Dialer interfaces but it looks OK, and also the
> NAT. I wonder if your ISP knows the public IP that you are assigning
> staticaly to the webserver with the NAT:
>
> ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
> no-alias
> ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
> no-alias
>
> What I mean, it is if your ISP have a route to the ext-ip to your
> router.
>
> -as

I checked, and yes, the IP I set is correct. It is the IP assigned to me
by my ISP, and it is static.

Arnoud

--
Please use my first and last name in the address & remove '.invalid'
Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'

"Arnoud Helmantel" <> wrote in message
news:1gx713c.1ml9hgjcxaw1sN%

>> What do you think about using the Web set-up interface (CRWS)? What you
>> want
>> to do could be sorted out in a couple of minutes using CRWS! Or is that
>> 'cheating'?!
>>
>> Regards
>> SW
>
> Hah, good idea, but... There is no way I have found that it will run in
> a browser under Mac OS X... It might work with Windows, but alas...
>
> Arnoud

Ahh! So its not really much use to you then. I was interested in your
problem, because I have the opposite problem. I need to do stuff on the 837
that I can't do using the CRWS (set up an Access control list and also set a
static route). And I don't know how to do this using CLI.
I don't think Cisco make it easy to learn the CLI. I've looked on their web
site, registered, but still I can't find a basic how-to list or a reference
manual of commands. If you know of one, please let me know!

Regards
SW

S W <> wrote:

> "Arnoud Helmantel" <> wrote in message
> news:1gx713c.1ml9hgjcxaw1sN%
>
> >> What do you think about using the Web set-up interface (CRWS)? What you
> >> want
> >> to do could be sorted out in a couple of minutes using CRWS! Or is that
> >> 'cheating'?!
> >>
> >> Regards
> >> SW
> >
> > Hah, good idea, but... There is no way I have found that it will run in
> > a browser under Mac OS X... It might work with Windows, but alas...
> >
> > Arnoud
>
> Ahh! So its not really much use to you then. I was interested in your
> problem, because I have the opposite problem. I need to do stuff on the 837
> that I can't do using the CRWS (set up an Access control list and also set a
> static route). And I don't know how to do this using CLI.
> I don't think Cisco make it easy to learn the CLI. I've looked on their web
> site, registered, but still I can't find a basic how-to list or a reference
> manual of commands. If you know of one, please let me know!
>
> Regards
> SW

I picked up a copy of "Cisco IOS in a Nutshell" by O'Reilly, and it is
quite a big help. Sadly a lot of books on Cisco equipment focus on the
higher-end routers, and only casually mention topics like NAT or setting
up a 'simple' ADSL router...

Setting up static routes is an easy part: (from my config)

ip route 212.206.95.0 255.255.255.0 10.210.6.254

this sets up: the network 212.206.95.xxx can be reached through router
10.210.6.254.

Yes, there is a lot of information on Cisco's site, but finding the part
you need, in normal, understandable English is quite a task...

Arnoud

--
Please use my first and last name in the address & remove '.invalid'
Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'

* Arnoud Helmantel <> wrote:
> ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
> no-alias
> ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
> no-alias

Try

ip nat inside source static tcp 10.210.6.1 22 interface Dialer 0 22 ext
ip nat inside source static tcp 10.210.6.1 80 interface Dialer 0 80 ext


Christian