Cisco 831 NAT

Discussion in 'Cisco' started by Deepster, Dec 2, 2004.

  1. Deepster

    Deepster Guest

    Hi all,

    I am a newbie in Cisco world and I am having a problem with my cisco
    router. I want to publish a web/mail server behind the router. The
    Router E1 (outside) has a static IP and from what I have found so far,
    I have E1 as ip nat outside and E0 (inside) as ip nat inside.

    Also I have the following commands in there ...
    ip nat inside source static tcp 10.10.10.10 80 interface Ethernet1 80
    ip nat inside source static tcp 10.10.10.10 25 interface Ethernet1 25

    The problem: Even after doing this I cannot get to the webserver from
    outside the firewall. I even tried opening the port just in case with
    the following lines of commands

    access-list 101 permit tcp any host 1.2.3.4 eq www
    What is it that I am missing here?

    Thanks
     
    Deepster, Dec 2, 2004
    #1
    1. Advertising

  2. Deepster

    Deepiceman Guest

    "Deepster" <> wrote in message news:<>...
    > Hi all,
    >
    > I am a newbie in Cisco world and I am having a problem with my cisco
    > router. I want to publish a web/mail server behind the router. The
    > Router E1 (outside) has a static IP and from what I have found so far,
    > I have E1 as ip nat outside and E0 (inside) as ip nat inside.
    >
    > Also I have the following commands in there ...
    > ip nat inside source static tcp 10.10.10.10 80 interface Ethernet1 80
    > ip nat inside source static tcp 10.10.10.10 25 interface Ethernet1 25
    >
    > The problem: Even after doing this I cannot get to the webserver from
    > outside the firewall. I even tried opening the port just in case with
    > the following lines of commands
    >
    > access-list 101 permit tcp any host 1.2.3.4 eq www
    > What is it that I am missing here?
    >
    > Thanks



    Ok so Update on this issue, I have connectivity now, I guess the
    webserver was not configured properly but thats another issue. My
    question now is that when I have the nat commands in there and I also
    open the ports 80 and 25 with this

    access-list 101 permit tcp any host A.B.C.D eq www
    access-list 101 permit tcp any host A.B.C.D eq smtp

    I see that the ports are wide open when I run a port scanner. Is there
    a way around it? can I not have the ports open but in stealth mode and
    be able to keep the webserver behind the router?

    Thanks
     
    Deepiceman, Dec 3, 2004
    #2
    1. Advertising

  3. Deepster

    Erik Freitag Guest

    On Fri, 03 Dec 2004 09:26:02 -0800, Deepiceman wrote:

    > "Deepster" <> wrote in message news:<>...
    >> Hi all,
    >>
    >> I am a newbie in Cisco world and I am having a problem with my cisco
    >> router. I want to publish a web/mail server behind the router. The
    >> Router E1 (outside) has a static IP and from what I have found so far,
    >> I have E1 as ip nat outside and E0 (inside) as ip nat inside.
    >>
    >> Also I have the following commands in there ...
    >> ip nat inside source static tcp 10.10.10.10 80 interface Ethernet1 80
    >> ip nat inside source static tcp 10.10.10.10 25 interface Ethernet1 25
    >>
    >> The problem: Even after doing this I cannot get to the webserver from
    >> outside the firewall. I even tried opening the port just in case with
    >> the following lines of commands
    >>
    >> access-list 101 permit tcp any host 1.2.3.4 eq www
    >> What is it that I am missing here?

    >
    > Ok so Update on this issue, I have connectivity now, I guess the
    > webserver was not configured properly but thats another issue. My
    > question now is that when I have the nat commands in there and I also
    > open the ports 80 and 25 with this
    >
    > access-list 101 permit tcp any host A.B.C.D eq www
    > access-list 101 permit tcp any host A.B.C.D eq smtp
    >
    > I see that the ports are wide open when I run a port scanner. Is there
    > a way around it? can I not have the ports open but in stealth mode and
    > be able to keep the webserver behind the router?


    I'm not sure what you mean by stealth mode. Are you by any chance thinking
    of stateful inspection? This would make a host available to the internet
    by dynamically creating an access list that is the inverse of an outbound
    connection made by the host.

    Unfortunately, your web server doesn't start connections, it only listens
    for them and answers if appropriate. If you want the Internet to connect
    to your web server on port 80, you're going to have to allow access on
    port 80 to the Internet, which is what your first access list entry does.

    I noticed that you used the word "publish" up there. Web servers don't
    "publish" anything - they answer requests from clients. A "pull" not a
    "push". Your smtp server will listen for incoming mail on port 25, and it
    will send mail to port 25, using an arbitrary source port. Stateful
    inspection will create an access list for the response to your smtp
    server's outbound mail, but it won't be on port 25.

    Short version: seeing ports 80 and 25 for your server wide open is a good
    thing if you want to run a web server and get email.

    On the other hand, maybe you were thinking of nmap stealth mode, in which
    case I'm confused.
     
    Erik Freitag, Dec 4, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jimmyzshack
    Replies:
    1
    Views:
    533
    Claude LeFort
    Nov 19, 2003
  2. Fred Atkinson

    Config 831 for a Home Network with NAT

    Fred Atkinson, Feb 29, 2004, in forum: Cisco
    Replies:
    1
    Views:
    426
    Jeff C
    Mar 2, 2004
  3. mfiendd

    Cisco 831 Nat Issues

    mfiendd, Aug 31, 2006, in forum: Hardware
    Replies:
    0
    Views:
    679
    mfiendd
    Aug 31, 2006
  4. Jens Bretschneider

    Cisco 831 NAT/PAT Problem

    Jens Bretschneider, Jan 27, 2008, in forum: Cisco
    Replies:
    0
    Views:
    809
    Jens Bretschneider
    Jan 27, 2008
  5. bod43
    Replies:
    1
    Views:
    1,074
    bod43
    Feb 2, 2009
Loading...

Share This Page