+ Post New Thread
Results 1 to 3 of 3
Internet Related/Filtering/Firewall Thread, Cisco DMZ Configuration. in Technical; Good Day, I am having issues with a Cisco 2811 router at a school, and specifically using it to publish ...
  1. #1

    Join Date
    Feb 2011
    Location
    Melbourne, Australia
    Posts
    3
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Cisco DMZ Configuration.

    Good Day,

    I am having issues with a Cisco 2811 router at a school, and specifically using it to publish services externally. I have configured the router as shown below, (I know I am NATing a whole address to a specific server currently, that is just because I am trying to find the problem, ultimately it will be only the required ports). The 4 public IP addresses (on Fa0/0) are routed in from another cisco router that I have no access to managed by our WAN provider, they have forwarded those four addresses to 10.191.191.2 where the upstream router is 10.191.191.1 hence the four secondary addresses.

    At this point I am just trying to get a pass through on 80 and on 443 for the web based services, anything else can come later. I know the upstream routing is working as when I put a PC behind it with a webserver (test machine) I can hit the address and resolve it both internally and externally, so it is clearly something I am missing in the config below

    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname DMZRT01
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone AEST 10
    clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
    errdisable recovery interval 30
    !
    !
    ip cef
    !
    !
    no ip domain lookup
    ip domain name domain.site.wan
    ip name-server 10.x.y.35
    !
    !
    voice-card 0
    no dspfarm
    !
    interface FastEthernet0/0
    ip address 203.a.b.142 255.255.255.0 secondary
    ip address 203.a.b.140 255.255.255.0 secondary
    ip address 203.a.b.143 255.255.255.0 secondary
    ip address 203.a.b.141 255.255.255.0 secondary
    ip address 10.191.191.2 255.255.255.0
    ip access-group Services-Inbound in
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 10.x.y.80 255.255.252.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/0/0
    !
    interface FastEthernet0/0/1
    !
    interface FastEthernet0/0/2
    !
    interface FastEthernet0/0/3
    !
    interface Vlan1
    no ip address
    !
    ip route 0.0.0.0 0.0.0.0 10.191.191.1
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source static 10.x.y.47 203.a.b.141
    !
    ip access-list standard SNMP_LMS_ACCESS
    !
    ip access-list extended Services-Inbound
    permit tcp any host 10.x.y.47 eq www
    permit tcp any host 10.x.y.47 eq 443
    permit tcp any host 10.x.y.48 eq www
    permit tcp any host 10.x.y.48 eq 443
    permit tcp any host 10.x.y.50 eq 443
    !
    snmp-server community 3432Read RO SNMP_LMS_ACCESS
    snmp-server community edu5T3R#0611 RO SNMP_LMS_ACCESS
    snmp-server community 3432Master RW SNMP_LMS_ACCESS
    snmp-server community edu5TaR#2906 RW SNMP_LMS_ACCESS
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    banner motd ^C
    ************************************************** ***************
    Authorised Users Only
    The information on this computer and network is the property of
    XYZ Corp and is protected by intellectual property
    rights. You must be assigned an account on this computer to
    access information and are only allowed to access information as
    defined by the System Administrator(s). Your activities are
    monitored for security reasons.
    ************************************************** ***************
    ^C
    !
    line con 0
    login local
    line aux 0
    line vty 0 4
    exec-timeout 15 0
    login local
    length 0
    transport input ssh
    line vty 5 15
    exec-timeout 15 0
    login local
    length 0
    transport input ssh
    !
    scheduler allocate 20000 1000
    ntp server 10.x.y.35
    !
    end

    I know this is going to be something small and stupid that I have overlooked, but any help would be appreciated.

    Regards

    Justin

  2. #2

    Join Date
    Mar 2008
    Location
    Medway, Kent
    Posts
    129
    Thank Post
    23
    Thanked 28 Times in 25 Posts
    Rep Power
    17
    Forgive me if I'm wrong as I'm still studying the ccent at the moment, it looks like you only have an outgoing route specified? does your routing table show the incoming routes as you'd expect? another thing is there is no outside to inside NAT specified only an inside nat. not sure if it's correct but maybe somewhere to look.
    Last edited by glen_j; 1st July 2014 at 10:53 AM.

  3. Thanks to glen_j from:

    ShadowPeo (2nd July 2014)

  4. #3

    Join Date
    Feb 2011
    Location
    Melbourne, Australia
    Posts
    3
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Routes were fine it was the ACL, had specified the wrong IP address so it was blocking all incoming traffic. Thanks for the advice through. I knew it was going to be something totally minor and stupid that I could not see for looking

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 12
    Last Post: 10th August 2011, 04:42 PM
  2. Help me to configure Cisco 2611xm to give internet to dial-in users
    By ahmadirad in forum Internet Related/Filtering/Firewall
    Replies: 0
    Last Post: 27th February 2011, 11:14 AM
  3. Configuring Cisco SDM and Firewall
    By certnerd in forum Internet Related/Filtering/Firewall
    Replies: 2
    Last Post: 10th September 2010, 03:01 PM
  4. Software to view Cisco Configurations
    By jreimer in forum Wireless Networks
    Replies: 7
    Last Post: 16th August 2009, 09:26 PM
  5. Cisco Aironet 1200 Series Configuration
    By DaveP in forum Wireless Networks
    Replies: 5
    Last Post: 1st June 2007, 10:23 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •