[Resolved] Cisco Router Help

[MikeFu84]

ok, so I am stumped as to why I cannot access my NAS/Webserver from the outside world through my Cisco router.

Current setup:

Fiber Modem > Cisco 2621 > Dlink Router (Configured as a switch and wireless AP) > NAS/Webs Server

Port the Cisco router is plugged into on the modem is the port I have assigned as the DMZ. I can telnet into the router from outside no problem.

FA0/0 (ISP): DHCP address

FA0/1 (INTRANET): 10.10.10.1 255.255.255.0

D-Link Router: 10.10.10.3

NAS/Web Server: 10.10.10.4

See router config below:

Building configuration...

Current configuration : 1263 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Realm2621
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$0Y2h$lJNPzsUmDlagkmRn1t0Rd1
enable password *******
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.20 10.10.10.254
!
ip dhcp pool INTRANET
 network 10.10.10.0 255.255.255.0
 dns-server 8.8.8.8 8.8.4.4
 default-router 10.10.10.1
!
ip audit po max-events 100
!
!
interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.10.4 80 interface FastEthernet0/0 80
no ip http server
no ip http secure-server
ip classless
!
!
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
 password ********
 login
!
!
end

Any help would be appreciated.

[sc302 Veteran]

congrats, you have a cisco router without any route commands. how do you expect it to route from one interface to another?

do this at an enable prompt

sh ip route

post its results.

try this

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp

and see if it helps

[MikeFu84]

That ip route command did nothing.

Gateway of last resort is <INSERT_ISP_IP> to network 0.0.0.0

 	ISP.ISP.0.0/30 is subnetted, 1 subnets
C 	<INSERT_ISP_IP> is directly connected, FastEthernet0/0
 	10.0.0.0/24 is subnetted, 1 subnets
C 	10.10.10.0 is directly connected, FastEthernet0/1
 	192.168.2.0/32 is subnetted, 1 subnets
S 	192.168.2.1 [254/0] via <INSERT_ISP_IP>, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via <INSERT_ISP_IP>

[sc302 Veteran]

blah...hang on rereading.

[sc302 Veteran]

double pst

[MikeFu84]

I am assuming it's doing NAT as well. There are no settings in the modem to disable it or check its status. I can hook the web server directly to the modem and forward port 80 and access it no problem though.

I am going to venture to guess that the static route is causing problems?

[sc302 Veteran]

I am assuming it's doing NAT as well. There are no settings in the modem to disable it or check its status. I can hook the web server directly to the modem and forward port 80 and access it no problem though.

I am going to venture to guess that the static route is causing problems?

no....If you are doing nat on the modem side, and you can forward port 80 within your modem to the server (can't forward without nat being enabled) then the issue is that the modem is doing nat as well and cockblocking you at that point. you will need to disable nat at that modem and pass all traffic to your cisco.

your S* statement (S* 0.0.0.0/0 [254/0] via <INSERT_ISP_IP>) is your static route. which is why I asked you to run that sh ip route command.

you can technically take the cisco router out as it is doing nothing constructive for you.

[MikeFu84]

Well crap. I have the router in the DMZ on the modem so its firewall isn't touching it. I can telnet to the router so I know port 23 is getting through no problem. I don't understand why I cannot get port 80 through.

[sc302 Veteran]

I don't use nat on my routers, so this may be wrong advise

ip nat inside source static tcp 10.10.10.4 80 interface FastEthernet0/1

with this it would have to be plugged directly into the #1 port on the router. if you do search on ip nat inside source static you will come up with many hits and examples, but none that have a dhcp'd outside address. I use an asa for all of this and it is a bit different.

[SAMeAiM]

I don't use nat on my routers, so this may be wrong advise

ip nat inside source static tcp 10.10.10.4 80 interface FastEthernet0/1

with this it would have to be plugged directly into the #1 port on the router. if you do search on ip nat inside source static you will come up with many hits and examples, but none that have a dhcp'd outside address. I use an asa for all of this and it is a bit different.

His NAT is just fine.

Try and apply an access-list to your interface, and enable logging;

!

logging buffered

ip access-list extended log-traffic log

10 permit tcp any any eq 80 log

99 permit ip any any

!

interface fa0/0

ip access-gr log-traffic in

!

Then try again, but expect no change at all, and then do a show log :)

Edit:

The modem is not doing NAT, as the router is assigned an address from the ISP directly.

Also, the static route with the * just means that it was allocated through DHCP.

[sc302 Veteran]

Wrong.

What the command does, is PAT between port TCP/1 on the outside interface and port TCP/80 on the NAS server.

His NAT is just fine.

Try and apply an access-list to your interface, and enable logging;

!

logging buffered

ip access-list extended log-traffic log

10 permit tcp any any eq 80 log

99 permit ip any any

!

interface fa0/0

ip access-gr log-traffic in

!

Then try again, but expect no change at all, and then do a show log :)

Edit:

The modem is not doing NAT, as the router is assigned an address from the ISP directly.

Also, the static route with the * just means that it was allocated through DHCP.

like i said i don't do this on the router and it could be wrong....thanks for enforcing the wrong.

[SAMeAiM]

like i said i don't do this on the router and it could be wrong....thanks for enforcing the wrong.

Sorry, you were not all wrong... i somehow managed to read the line "ip nat inside source static tcp 10.10.10.4 80 interface FastEthernet0/1" as "ip nat inside source static tcp 10.10.10.4 80 interface FastEthernet0/0 1".

Again sorry :)

[MikeFu84]

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
	Console logging: level debugging, 23 messages logged, xml disabled
	Monitor logging: level debugging, 0 messages logged, xml disabled
	Buffer logging: level debugging, 1 messages logged, xml disabled
	Logging Exception size (4096 bytes)
	Count and timestamp logging messages: disabled
	Trap logging: level informational, 29 message lines logged

Log Buffer (4096 bytes):

I tried the commands you mentioned.

ip access-list extended log-traffic log <-Wouldn't allow 'log' at the end

[SAMeAiM]

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
	Console logging: level debugging, 23 messages logged, xml disabled
	Monitor logging: level debugging, 0 messages logged, xml disabled
	Buffer logging: level debugging, 1 messages logged, xml disabled
	Logging Exception size (4096 bytes)
	Count and timestamp logging messages: disabled
	Trap logging: level informational, 29 message lines logged

Log Buffer (4096 bytes):

I tried the commands you mentioned.

ip access-list extended log-traffic log <-Wouldn't allow 'log' at the end

Sorry... just skip that log*

!

logging buffered

ip access-list extended log-traffic

10 permit tcp any any eq 80 log

99 permit ip any any

!

interface fa0/0

ip access-gr log-traffic in

!

/me bangs his head into the wall ;)

Should be going to bed...

[MikeFu84]

Let it sit for a bit and no change. I would like to bang my head two. Have been trying to get this to work for 4-5 days now.

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
	Console logging: level debugging, 22 messages logged, xml disabled
	Monitor logging: level debugging, 0 messages logged, xml disabled
	Buffer logging: level debugging, 4 messages logged, xml disabled
	Logging Exception size (4096 bytes)
	Count and timestamp logging messages: disabled
	Trap logging: level informational, 28 message lines logged

Log Buffer (4096 bytes):

[SAMeAiM]

How are you testing?

Make sure that you aren't testing from your internal LAN, because that probably wont work due to the NAT.

You need to test from something connected to the fa0/0 interface (ie. the internet)

[Sn00pY]

I'm failing to see why you are even using this router. It's a legacl model and it's offering nothing to you - espeically in it's current setup.

[Another Canuck]

I'm failing to see why you are even using this router. It's a legacl model and it's offering nothing to you - espeically in it's current setup.

Because sometimes it's fun to use overcomplicated setups for no real reason! Gives ya something to do. :p

[+BudMan MVC]

Your commands were correct from the get go, I even tested them with packet tracer -- if you want I can send it to you.. It should work as you had it setup before.

Only thing in PT you can not use interface command on the

ip nat inside source static tcp 10.10.10.4 80 interface

You have to use the current outside IP -- and it works you can access the http server on 10.10.10.4 from outside

So unless your doing what SAMeAiM mentions and trying to hit your public IP from a box on the 10 network, it should be working ---> UNLESS you got something else blocking it?? Ie you mention that fiber "modem" and putting your cisco in the DMZ??

You sure its passing 80 to the cisco? You sure your ISP is not blocking 80? Many of them do - since its quite common to be against the TOS to run servers.

If you want to use the cisco -- then put your fiber modem into BRIDGE mode so it puts a PUBLIC on the cisco wan inteface, vs putting it in the dmz of your fiber (modem/router) -- since you state have the cisco in a dmz it must be doing NAT, so its not simple modem - its a gateway device (modem/router combo)

So as snoopy points out -- what is the point of the cisco router? You already have a NAT device for your network, you don't need more than one -- they cause ISSUES.

[MikeFu84]

As for ISP blocking port 80, I had the port opened on the modem/router from the ISP and it worked no problem. Having it in the DMZ should not be blocking any ports at all. They IP it gets assigned not is the public IP the modem/router typically gets assigned.

Reason for the Cisco, as David said, its fun to play with stuff you don't need just because you can.

What I may have to end up doing it making a 3 port VLAN on my 2900 series switch to split the original connection from the ODU and setup a PPPoE connection on the Cisco. Really don't want to do this if I don't have too so I will try the suggestions you guys mentioned above.

[+BudMan MVC]

"Having it in the DMZ should not be blocking any ports at all. They IP it gets assigned not is the public IP the modem/router typically gets assigned."

So your saying when you put the cisco into the isp router dmz - it places a PUBLIC on the cisco wan interface?? That is not how most soho routers dmz work.. They just forward all the ports to the private ip you have in the dmz.. But if you have other forwards setup, or UPnP or say a remote UI setup on 80, this could cause it not to work.

What is the IP of the cisco dhcp interface you have connected to the fiber device -- it not a private one? ie does not start with 192.168.x.x or 10.x.x.x or 172.16-31.x.x?

If it a private -- the double nat could be causing you issues? Sure I agree its FUN to play, but then its also pointless to double nat and have a complex setup just because you can.. What is FUN is having things work the way they are suppose to -- not seeing how much of a cluster F___ setup you an create ;)

edit: BTW what worked when you had its setup on the isp router?? You could hit the public IP from the private side and it forwarded inbound, ie a nat reflection, or loopback forward.. Not all devices allow that -- and your current cisco config would not.

Or were you actually testing from outside your network to see if the forward was working.. Loopback forwarding is not a valid test of forward - unless you sure the nat device your using supports it.. I can tell you right now with your current config on the cisco if you try and hit the public IP from a box on the 10, its not going to work. But maybe your isp router supported that??

[MikeFu84]

The private range from the modem/router is 192.168.2.0 0.0.0.255. The public IP's from the ISP are 142.166.x.x. When I had the MAC of the Cisco interface to the DMZ, the IP on FA0/0 on the Cisco is a 142.166.x.x.

Before I started playing with Cisco I had the same web server/nas plugged into a port on the modem/router and had port 80 unblocked for the IP setup on the web server/nas and had no issues accessing it from anywhere. I am testing the connection on my phone, it fails to load the page and gets a timeout error.

Router/Modem is a 2 Wire 3800HGV-B Gateway.

[+BudMan MVC]

Well its should be working then, you could try changing your ip nat statement from

ip nat inside source static tcp 10.10.10.4 80 interface FastEthernet0/0 80

To

ip nat inside source static tcp 10.10.10.4 80 <PUBLIC IP ON FA0/0> 80

Also you could also remove your IP CEF statement.. I don't believe it should cause a problem - but the one thing that from a guess might cause some kind of issue.

[MikeFu84]

Well I tried that and it didn't work but I think I may have found the potential issue.

Realm2621#show arp
Protocol Address 	Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 	- 0001.42f8.be41 ARPA FastEthernet0/1
Internet 10.10.10.4 	8 0040.f426.bbe1 ARPA FastEthernet0/1
Internet 142.166.x.x 	0 0025.3cce.6329 ARPA FastEthernet0/0
Internet 142.166.x.x 	- 0001.42f8.be40 ARPA FastEthernet0/0

Realm2621#show int fa0/0
FastEthernet0/0 is up, line protocol is up
 Hardware is AmdFE, address is 0001.42f8.be40 (bia 0001.42f8.be40)
 Internet address is 142.166.x.x/30
 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
 	reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation ARPA, loopback not set
 Keepalive set (10 sec)
 Full-duplex, 100Mb/s, 100BaseTX/FX
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input 00:00:00, output 00:00:00, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/40 (size/max)
 5 minute input rate 2000 bits/sec, 2 packets/sec
 5 minute output rate 1000 bits/sec, 1 packets/sec
 	102043 packets input, 13176403 bytes
 	Received 67561 broadcasts, 0 runts, 0 giants, 0 throttles
 	0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 	0 watchdog
 	0 input packets with dribble condition detected
 	45750 packets output, 4245831 bytes, 0 underruns
 	0 output errors, 0 collisions, 0 interface resets
 	0 babbles, 0 late collision, 0 deferred
 	0 lost carrier, 0 no carrier
 	0 output buffer failures, 0 output buffers swapped out

Gateway of last resort is 142.166.x.x to network 0.0.0.0

 	142.166.0.0/30 is subnetted, 1 subnets
C 	142.166.x.x is directly connected, FastEthernet0/0
 	10.0.0.0/24 is subnetted, 1 subnets
C 	10.10.10.0 is directly connected, FastEthernet0/1
 	192.168.2.0/32 is subnetted, 1 subnets
S 	192.168.2.1 [254/0] via 142.166.x.x, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via 142.166.x.x

Building configuration...

Current configuration : 1299 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Realm2621
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$ubRd$gkH2UZQj6XVVpAoxNStjk1
enable password ********
!
no aaa new-model
ip subnet-zero
no ip cef
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.20 10.10.10.254
!
ip dhcp pool INTRANET
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 dns-server 8.8.8.8 8.8.4.4
!
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
 ip address dhcp
 ip access-group log-traffic in
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.10.4 80 142.166.x.x 80 extendable
ip http server
no ip http secure-server
ip classless
!
!
!
ip access-list extended log-traffic
 permit tcp any any eq www log
 permit ip any any
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
 password ********
 login
!
!
end

I tried removing ip cef and it made no difference and also added the public IP to the nat line.

[bolerodan]

Just wondering. Your WAN interface (fa0/0) on your cisco router has an IP of 142.166.187.161 ?

but your default route is using 142.166.187.162 ? What IP is that suposed to be? Your Modem? I cant stand Router/modem configurations like this, heh. No Offense.

Actually I doubt my question has anything related to your issue, heh.