Announcement

Collapse
No announcement yet.

Cant reach DMZ web server from Internet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cant reach DMZ web server from Internet

    I have a simple setup with a Cisco 881W, but really struggling to get a web server in the DMZ to work. There are 4 VLANs - Guest (for wireless guests), Internal for internal users, a DMZ and a Management VLAN. One interface (Fa4) is connected to the cable modem with one address (the config is using Dynamic DNS to maintain this, and I think it is working OK since I can ping the site name and it returns the fa4 IP address).

    I have setup up NAT Virtual Interfaces so that clients in every VLAN can reach the Internet, which works fine. The problem is I cant seem to get clients on the Internet to be able to reach a web server in the DMZ. There is an ACL statement in the router config which I thought would do this ("ip nat source static tcp 10.0.0.11 80 interface FastEthernet4 80"), but some how it is not working. The strange thing is that any one on the Internal or Management VLANs can easily reach it at its IP address.

    Anyone have any clues what might be going on?


    The scrubbed "Show Run" is below:




    Router#sho run
    Building configuration...

    Current configuration : 5881 bytes
    !
    ! Last configuration change at 17:29:19 UTC Sun Jul 29 2012
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 10000
    enable password XXXXXX
    !
    no aaa new-model
    service-module wlan-ap 0 bootimage unified
    !
    crypto pki trustpoint TP-self-signed-769551153
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-769551153
    revocation-check none
    rsakeypair TP-self-signed-769551153
    !
    !
    crypto pki certificate chain TP-self-signed-769551153
    certificate self-signed 01
    3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 06750030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 37363935 35313135 33301E17 0D313230 37323931 34313031
    345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3736 39353531
    31353330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    ABDFE95A 6E96F46A F68E3F70 617FE91B F0D7410C FB360486 887AD27A 11C42B83
    830B74C1 CB7C3B84 A17CA789 A869A652 64E8EAE1 8239D2EC CC9000ED E41E2CC7
    B62EFA7A 4D04DBB2 CFF6F3B8 F514C846 33FFF5B6 6A1197C5 B4DD41A3 CD79136A
    ACAE0FEA F6E1DA25 6F4CC77F F447D057 75B4C760 8EF78F73 CACB20A4 319848D1
    02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
    11040A30 08820652 6F757465 72301F06 03551D23 04183016 80140D75 93F5A176
    AA5A7031 8C44E7E8 E6E11049 5F80301D 0603551D 0E041604 140D7593 F5A176AA
    5A70318C 44E7E8E6 E110495F 80300D06 092A8648 86F70D01 01040500 03818100
    2FDC14B0 5025C0D5 406DDE45 9DA58F8B 34E9F7D4 615BAD97 84CC3411 B47BFF49
    DC2387EC DD0BC859 2B48AD89 3EF4FF96 9334DFCF 493F3B36 FA902942 80BE6C98
    41E9935A AFE9996E 31C64203 837FC871 3D086B3C D349628A 8E2935AE 54B5F1F2
    B6C7A2A4 4EF9B57E 5334976B 7DDDAC47 0BD2E1E7 DCC619BA 23F48B95 F28C1138
    quit
    ip source-route
    !
    !
    ip dhcp excluded-address 172.16.1.1 172.16.1.50
    ip dhcp excluded-address 192.168.1.1 192.168.1.50
    ip dhcp excluded-address 192.168.0.1 192.168.0.50
    ip dhcp excluded-address 10.0.0.1 10.0.0.50
    !
    ip dhcp pool Internal
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 8.8.8.8
    !
    ip dhcp pool Guest
    network 172.16.1.0 255.255.255.0
    default-router 172.16.1.1
    dns-server 8.8.8.8
    !
    ip dhcp pool Management
    network 192.168.0.0 255.255.255.0
    default-router 192.168.0.1
    dns-server 8.8.8.8
    option 43 hex f104.c0a8.000a
    !
    ip dhcp pool DMZ
    network 10.0.0.0 255.255.255.0
    default-router 10.0.0.1
    dns-server 8.8.8.8
    !
    !
    ip cef
    ip ddns update method myupdate
    HTTP
    add httz://usernameassword%40dynupdate.no-ip.com/nic...
    interval maximum 1 0 0 0
    !
    !
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    vtp domain cisco
    vtp mode transparent
    username admin privilege 15 password 0 password
    !
    !
    !
    archive
    log config
    hidekeys
    !
    !
    vlan 2-4
    !
    !
    !
    !
    interface FastEthernet0
    description Port to DMZ Computer
    switchport access vlan 4
    !
    interface FastEthernet1
    description Port in Management VLAN
    !
    interface FastEthernet2
    description Port in Management VLAN
    !
    interface FastEthernet3
    description Trunk Port to Switch
    switchport mode trunk
    !
    interface FastEthernet4
    description WAN port to Internet
    ip ddns update foo.no-ip.biz
    ip ddns update myupdate host 10.0.0.11
    ip address dhcp
    ip nat enable
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface wlan-ap0
    description Service module interface to manage the embedded AP
    no ip address
    arp timeout 0
    !
    interface Wlan-GigabitEthernet0
    description Internal switch interface connecting to the embedded AP
    !
    interface Vlan1
    description Management VLAN
    ip address 192.168.0.1 255.255.255.0
    no ip redirects
    ip nat enable
    ip virtual-reassembly
    !
    interface Vlan2
    description Internal VLAN
    ip address 192.168.1.1 255.255.255.0
    no ip redirects
    ip nat enable
    ip virtual-reassembly
    !
    interface Vlan3
    description Guest VLAN
    ip address 172.16.1.1 255.255.255.0
    no ip redirects
    ip nat enable
    ip virtual-reassembly
    !
    interface Vlan4
    description DMZ VLAN
    ip address 10.0.0.1 255.255.255.0
    ip access-group 102 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat enable
    ip virtual-reassembly
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    !
    no ip nat service sip udp port 5060
    ip nat source list 1 interface FastEthernet4 overload
    ip nat source static tcp 10.0.0.11 80 interface FastEthernet4 80
    !
    no logging trap
    access-list 1 permit 10.0.0.0 0.0.0.255
    access-list 1 remark ACL necessary for all internal nets to NAT overload
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 1 permit 172.16.1.0 0.0.0.255
    access-list 101 remark ACL to block Guest to anywhere but Internet
    access-list 101 deny ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 101 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 101 deny ip 172.16.1.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 101 permit ip 172.16.1.0 0.0.0.255 any
    access-list 102 remark ACL to block DMZ to anywhere but Internet
    access-list 102 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 102 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 102 deny ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
    access-list 102 permit ip 10.0.0.0 0.0.0.255 any
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    line vty 0 4
    access-class 99 in
    privilege level 15
    password Jara1pa$$
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    ntp master
    ntp update-calendar
    end

    Router#

  • #2
    Re: Cant reach DMZ web server from Internet

    that IP NAT entry isn't an ACL - it's a NAT entry.

    I think your NAT entry is wrong though..
    doesn't seem right somehow...

    ip nat inside source static TCP 10.0.0.11 80 (pu.bl.ic.IP) 80
    feels more correct
    I could be wrong though
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Cant reach DMZ web server from Internet

      Syntax is correct for the nat virtual interface. Using nat VI there is no direction anymore. NVI determines the direction by the source address of the packet. I have seen issues with this though. Do you see a translation in the nat table when a host tries to connect? I also don't see a default route in your config? Unless you didn't include it. Also I dont see any ACL's on your outside interface so right now its wide open. You should lock that down. Also an ACL could tell you if traffic is even hitting the outside interface going towards the server. I recommend you run Zone Based Firewall if your router supports it. You could use this to test though. If you see hits on the top ACE entry then you know traffic from outside is reaching the outside interface. This is for testing only, once you get it working lock it down or setup CBAC or Zone Based Firewall.

      Check for translations with nat nvi

      show ip nat nvi translations


      ip access-list extended OUTSIDE_IN
      permit tcp any FastEthernet4 eq 80 log
      permit ip any any


      ip route 0.0.0.0 0.0.0.0 "next hop ip"

      May want to try reverting back to the old nat commands as well. I have seen issues using nat nvi.


      ip nat inside
      ip nat outside

      ip nat inside source static tcp 10.?.?.? eq 80 Fastethernet4 80
      Last edited by auglan; 30th July 2012, 13:58.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment


      • #4
        Re: Cant reach DMZ web server from Internet

        Thanks for responding!

        When I check the translations I see:

        Pro Source global Source local Destin local Destin global
        tcp 69.122.139.128:49461 192.168.1.124:49461 10.0.0.11:80 10.0.0.11:80
        tcp 69.122.139.128:49462 192.168.1.124:49462 10.0.0.11:80 10.0.0.11:80
        tcp 69.122.139.128:49463 192.168.1.124:49463 10.0.0.11:80 10.0.0.11:80
        tcp 69.122.139.128:49464 192.168.1.124:49464 10.0.0.11:80 10.0.0.11:80
        tcp 69.122.139.128:49465 192.168.1.124:49465 10.0.0.11:80 10.0.0.11:80
        tcp 69.122.139.128:49466 192.168.1.124:49466 10.0.0.11:80 10.0.0.11:80

        Not sure what this means - does it indicate a host on the inside network (192.168.1.x) was translated to reach the webserver (10.0.0.11)? Seems weird to me - the DMZ and the Inside network are both directly connected to the router, so why would it need to to a NAT translation?

        I will try addding the default route. I assumed (but could be easily wrong) that since this is a stub router and using NAT there would be no need for a default route.

        Is an ACL necessary on a router using NAT to the Internet? I thought that there is no way for an outside host to reach the inside network unless the conversation was initiated from an inside host.

        Your suggested ACL would indicate any hits (but not prevent) if a host tried to reach the webserver. What's the best way to see the log output - "show access-list OUTSIDE_IN"?

        Again, thanks.

        Comment


        • #5
          Re: Cant reach DMZ web server from Internet

          I would drop the NVI configuration and go hack to "domain" based nat

          ip nat inside

          ip nat outside


          NVI was really made for routers running "VRF's" (Virtual routing and Fowarding instances or basically virtual routing tables in your router)

          Cisco even recommends to use the old style nat when not running multiple VRF's


          Is an ACL necessary on a router using NAT to the Internet? I thought that there is no way for an outside host to reach the inside network unless the conversation was initiated from an inside host.
          Right now your outside interface is wide open. NAT does offer a layer of protection for your PAT'd hosts but you still want to filter unwanted traffic to the router itself to avoid DOS attacks, scans and probes. Dont rely on just NAT.

          Also you aren't running any sort of stateful firewall so the router isn't keeping track of any connections in the state table. If you platform supports it you could run the older CBAC firewall (CBAC still requires a deny any on the outside interface) or the new Zone Based firewall which doesn't use ACL's on the interfaces but uses zone pairs to allow flows.
          Last edited by auglan; 31st July 2012, 13:52.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: Cant reach DMZ web server from Internet

            Well, I finally go this working (and I want to thank folks for the assistance). I went back to not not using NAT Virtual Interface, instead using plain old NAT inside and NAT outside statements, but that isn't what actually fixed it.

            It turns out that the base level Internet access I had blocks many ports, including port 80. During the troubleshooting I had even suspected this and changed my webserver port to 8080 but that didn't work also.

            The big clue occurred later when I happened to change the port to 8001. While it initially seemed like the web page was not loading, when I happened to check the screen (more than a minute later) the page was partially loaded!

            What I believe was happening was the ISP was not only outright blocking the common server port numbers, but is also severely throttling lots (all?) other ports. But they never actually state this practice anywhere.

            Once I called the ISP and upgraded to their next level of service everything started working beautifully, right on port 80.

            Comment


            • #7
              Re: Cant reach DMZ web server from Internet

              Glad its working now. Gotta love those IPS's
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment

              Working...
              X