Allowing HTTP traffic inside cisco router

Discussion in 'General Computer Support' started by briefus, Aug 12, 2009.

  1. briefus

    briefus

    Joined:
    Aug 12, 2009
    Messages:
    2
    Guys, I'm having a brain fart here and not able to get this figured out. We have a remote location that is going to have a video encoder setup to display live streaming video from a webcam of a reconstruction project. They want this to be accessible from anyone in the world, via HTTP traffic. We are using a Cisco 1841 Router with Advanced Security Feature set on it. I'm looking to NAT the inbound traffic coming in ONLY on http, to the internal address of the video encoder (10.201.92.220:80). Any help/suggestions are welcome. Here's the config I currently have setup. ACL 102 is the new ACL I added to allow inbound traffic to the IP over HTTP only. let me know what you think.
    Code:
    !
    version 12.4
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    !
    hostname cr532
    !
    boot-start-marker
    boot system flash:c1841-advsecurityk9-mz.124-11.XW9.bin
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 4096
    enable secret 5 <removed>
    !
    aaa new-model
    !
    !
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    !
    !
    aaa session-id common
    memory-size iomem 15
    clock timezone EST -5
    clock summer-time EDT recurring
    ip gratuitous-arps
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.200.109.1 10.200.109.19
    ip dhcp excluded-address 10.201.92.1 10.201.92.99
    ip dhcp excluded-address 10.201.92.200 10.201.92.254
    !
    ip dhcp pool resident
       network 10.200.109.0 255.255.255.0
       dns-server 10.206.0.50 10.206.0.51
       default-router 10.200.109.1
       lease 0 4
    !
    ip dhcp pool 10.201.92.0/24
       network 10.201.92.0 255.255.255.0
       dns-server 172.30.0.120 172.30.0.121
       netbios-name-server 172.30.0.121 172.30.0.120
       netbios-node-type h-node
       default-router 10.201.92.1
       lease 0 4
    !
    !
    ip inspect name FIREWALL cuseeme
    ip inspect name FIREWALL ftp
    ip inspect name FIREWALL h323
    ip inspect name FIREWALL icmp
    ip inspect name FIREWALL netshow
    ip inspect name FIREWALL rcmd
    ip inspect name FIREWALL realaudio
    ip inspect name FIREWALL rtsp
    ip inspect name FIREWALL esmtp
    ip inspect name FIREWALL sqlnet
    ip inspect name FIREWALL streamworks
    ip inspect name FIREWALL tftp
    ip inspect name FIREWALL tcp
    ip inspect name FIREWALL udp
    ip inspect name FIREWALL vdolive
    no ip bootp server
    no ip domain lookup
    ip domain name <removed>
    ip name-server 172.30.0.120
    ip name-server 172.30.0.121
    !
    !
    multilink bundle-name authenticated
    !
    !
    crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key <removed> address <removed>
    !
    !
    crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
    !
    crypto map to_vpn 10 ipsec-isakmp
     set peer <removed>
     set transform-set to_vpn
     match address 101
    !
    !
    !
    !
    !
    username <removed> privilege 15 secret 5 <removed>
    !
    archive
     log config
      hidekeys
    !
    !
    ip tftp source-interface FastEthernet0/1.1
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh source-interface FastEthernet0/1.1
    !
    !
    !
    interface FastEthernet0/0
     description OUTSIDE$FW_OUTSIDE$
     ip ddns update hostname cr205.atriacisco.local
     ip ddns update DDNS
     ip address 70.X.Y.Z 255.255.254.0
     ip mask-reply
     ip directed-broadcast
     ip nbar protocol-discovery
     ip inspect ATRIA_FIREWALL out
     ip nat outside
     ip virtual-reassembly
     ip route-cache flow
     ip tcp adjust-mss 1320
     duplex auto
     speed auto
     crypto map to_vpn
     hold-queue 100 out
    !
    interface FastEthernet0/1
     description 802.1q trunkport to lan
     no ip address
     ip mask-reply
     ip directed-broadcast
     duplex auto
     speed auto
    !
    interface FastEthernet0/1.1
     description Business Office$FW_INSIDE$
     encapsulation dot1Q 1 native
     ip address 10.201.92.1 255.255.255.0
     ip mask-reply
     ip directed-broadcast
     ip nat inside
     ip virtual-reassembly
    !
    interface FastEthernet0/1.2
     description resident lan$FW_INSIDE$
     encapsulation dot1Q 2
     ip address 10.200.109.1 255.255.255.0
     ip mask-reply
     ip directed-broadcast
     ip nat inside
     ip virtual-reassembly
    !
    ip route 0.0.0.0 0.0.0.0 70.A.B.C
    !
    !
    no ip http server
    no ip http secure-server
    ip nat translation timeout 3600
    ip nat inside source list 199 interface FastEthernet0/0 overload
    ip nat inside source static tcp 10.201.92.220 80 70.X.Y.Z 80 extendable no-alias
    ip tacacs source-interface FastEthernet0/1.1
    !
    logging history warnings
    logging trap errors
    logging facility local3
    logging source-interface FastEthernet0/1.1
    logging 172.30.0.25
    logging 10.0.219.50
    access-list 10 permit 172.30.0.0 0.0.0.255
    access-list 10 permit 10.0.219.0 0.0.0.255
    access-list 10 permit 10.201.92.0 0.0.0.255
    access-list 101 permit ip 10.201.92.0 0.0.0.255 172.20.0.0 0.0.0.255
    access-list 101 permit ip 10.201.92.0 0.0.0.255 172.21.1.0 0.0.0.255
    access-list 101 permit ip 10.201.92.0 0.0.0.255 172.30.0.0 0.0.0.255
    access-list 101 permit ip 10.201.92.0 0.0.0.255 10.0.219.0 0.0.0.255
    access-list 101 permit ip 10.201.92.0 0.0.0.255 172.30.1.0 0.0.0.255
    access-list 101 permit ip 10.200.109.0 0.0.0.255 10.0.219.0 0.0.0.255
    access-list 101 permit ip 10.200.109.0 0.0.0.255 10.200.0.0 0.0.0.255
    access-list 101 permit ip 10.200.109.0 0.0.0.255 host 172.21.1.80
    access-list 101 permit ip 10.200.109.0 0.0.0.255 10.206.0.0 0.0.0.255
    access-list 102 permit tcp any host 70.X.Y.Z eq www
    access-list 199 deny   ip 10.201.92.0 0.0.0.255 10.0.219.0 0.0.0.255
    access-list 199 deny   ip 10.201.92.0 0.0.0.255 172.20.0.0 0.0.0.255
    access-list 199 deny   ip 10.201.92.0 0.0.0.255 172.21.1.0 0.0.0.255
    access-list 199 deny   ip 10.201.92.0 0.0.0.255 172.30.0.0 0.0.0.255
    access-list 199 deny   ip 10.201.92.0 0.0.0.255 172.30.1.0 0.0.0.255
    access-list 199 deny   ip 10.200.109.0 0.0.0.255 10.206.0.0 0.0.0.255
    access-list 199 deny   ip 10.200.109.0 0.0.0.255 10.200.0.0 0.0.0.255
    access-list 199 deny   ip 10.200.109.0 0.0.0.255 10.0.219.0 0.0.0.255
    access-list 199 deny   ip 10.200.109.0 0.0.0.255 host 172.21.1.80
    access-list 199 permit ip 10.0.219.0 0.0.0.255 any
    access-list 199 permit ip 10.201.92.0 0.0.0.255 any
    access-list 199 permit ip 10.200.109.0 0.0.0.255 any
    access-list 199 permit ip host 10.206.0.50 any
    snmp-server community <removed> RO
    snmp-server community <removed> RW
    snmp-server location atria noc
    snmp-server contact atria noc
    snmp-server enable traps tty
    snmp-server host 172.30.0.125 <removed>
    snmp-server host 172.30.0.125 <removed>
    !
    !
    !
    tacacs-server host 172.30.0.4
    tacacs-server host 172.30.0.5
    tacacs-server timeout 10
    tacacs-server directed-request
    tacacs-server key 7 <removed>
    !
    control-plane
    !
    banner motd ^CC
    **********************************************************************
    *       L E G A L   N O T I C E  --  Y O U   M U S T   R E A D       *
    **********************************************************************
    *                                                                    *
    *  You must have explicit permission to access or configure this     *
    *  device.  All activities performed on this device are logged and   *
    *  violations of this policy may result in criminal prosecution      *
    *                                                                    *
    **********************************************************************
    *                                                                    *
    * This system is for the use of authorized users only.  Individuals  *
    * using this communication system without authority, or in excess of *
    * their authority, are subject to having all of their activities on  *
    * this system monitored and recorded by system personnel.            *
    *                                                                    *
    *                                                                    *
    * Anyone using this system expressly consents to such monitoring and *
    * is advised that if such monitoring reveals possible evidence of    *
    * criminal activity, system personnel may provide the evidence of    *
    * such monitoring to law enforcement officials.                      *
    *                                                                    *
    **********************************************************************
    *     UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED       *
    **********************************************************************
    ^C
    !
    line con 0
     transport output ssh
    line aux 0
     transport input ssh
     transport output ssh
    line vty 0 4
     transport input ssh
     transport output ssh
    line vty 5 15
     transport input ssh
     transport output ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    ntp clock-period 17178488
    ntp update-calendar
    ntp peer 172.30.0.244
    ntp peer 172.30.0.120 prefer
    ntp peer 172.30.0.121
    
    !
    webvpn cef
    end
     
    briefus, Aug 12, 2009
    #1
    1. Advertising

  2. briefus

    briefus

    Joined:
    Aug 12, 2009
    Messages:
    2
    never mind guys... brainfart indeed...
    IPSec connections require a fully dedicated public IP address (you can not nat individual ports)
     
    briefus, Aug 12, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest
    Replies:
    5
    Views:
    1,807
    Romme
    Jun 15, 2004
  2. Paul
    Replies:
    1
    Views:
    3,665
    Walter Roberson
    Dec 6, 2004
  3. johnreyre@yahoo.com

    allowing IPSEC traffic through Pix 515E

    johnreyre@yahoo.com, Feb 7, 2005, in forum: Cisco
    Replies:
    1
    Views:
    6,909
    Dumbkid
    Feb 7, 2005
  4. Jason
    Replies:
    4
    Views:
    1,733
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,216
    milan_9211
    Jan 10, 2011
Loading...

Share This Page