Cisco router 2611 Help with Webserver

**nzemke** · 22-04-2009

This is my first post so please understand reading this that I have no formal cisco training and everything I know is from what I have read online.

So heres the situation:
I am unable to navigate to any of the websites i am hosting on my servers, externally or internally. I am trying to get the winbox to work with the websites first before I go and add the ones going to the nix box. When i run a ping from inside the network the domain names return the proper internal address. when i try to ping the site externally i get a "could not find host" message. Any help would be greatly appreciated!

Equipment:

Cisco 2611 router
Windows Server 2003: DNS/DHCP/IIS
Ubuntu Server: Apache

Anticipated end result:
I intend to run websites from win box and the linux box. My friend has all of his php stuff running on the Nix box and I have the ASP pages running on the win box. Each server will host multiple sites.

Current setup:
Currently the DNS server is setup with all of the A records set to the appropriate internal IP

Server 1 WinBox has a static IP of 192.168.1.10
Server 2 NixBox has a static IP of 192.168.1.11

On the IIS server the Host Header value has been set to the domainname for each site.

Cisco Router 2611 running-config:
**I have edited the IP address to protect the integrity of the servers**

Current configuration : 1178 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
******************************
!
hostname Router
!
!
no ip subnet-zero
!
!
ip domain-list MyDomain1.com
ip domain-list MyDomain2.info
ip domain-list MyDomain2.net
ip domain-name MyDomain1.com
ip host ServerName.MyDomain1.com 192.168.1.10
ip name-server 192.168.1.10
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
full-duplex
!
interface Ethernet0/1
ip address (external IP) 255.255.255.0
ip nat outside
full-duplex
!
ip default-gateway (outside Gateway IP)
ip nat inside source list 1 interface Ethernet0/1 overload
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.1.11 22 (external IP) 22 extendable
ip nat outside source list 101 interface Ethernet0/0
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/1
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
!
line con 0
line aux 0
line vty 0 4
login
!
end

**Shen** · 23-04-2009

Sometimes we have internal resources that need to be Internet-accessible such as Web servers, mail servers, or VPN servers. Generally, I recommend isolating those resources in a DMZ to protect your office LAN from the bad guys, but regardless of how you choose to design it, the process involves forwarding desired packets from the router's outside interface to an internal host. It's really a fairly simple process. Here's the configuration on a Cisco 2611 router:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0/1 1723
!
access-list 101 permit ip any any

In the above configuration, Ethernet 0/1 is connected to the public Internet with a static address of 12.1.2.3 and Ethernet 0/0 is connected to the inside network with a static address of 192.168.101.1. NAT outside is configured on E0/1 and NAT inside is configured on E0/0. Access-list 101 works in conjunction with the "ip nat inside source list 101 interface Ethernet0/1 overload" statement to permit all inside hosts to use E0/1 to connect to the Internet sharing whatever IP address is assigned to interface Ethernet E0/1.

The "overload" statement implements PAT (Port Address Translation) which makes that possible. (PAT allows multiple internal hosts to share single address on an external interface by appending different port numbers to each connection.)

The statement "ip nat inside source static tcp 192.168.101.2 1723 interface Ethernet0/1 1723" takes incoming port 1723 (PPTP) requests on Ethernet0/1 and forwards them to the VPN server located at 192.168.101.2.

You could do something similar with a Web server by changing port 1723 to port 80 or port 443. Here's what that would look like:

interface Ethernet0/1
ip address 12.1.2.3 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.101.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.101.2 80 interface Ethernet0/1 80
!
access-list 101 permit ip any any

In this example, the web server is located at 192.168.101.2 and instead of forwarding PPTP (port 1723) traffic, we're forwarding HTTP (port 80) traffic.

Obviously, you can configure your Cisco router in a similar manner to forward nearly any type of traffic from an outside interface to an internal host.

**Steve123** · 23-04-2009

You can just try out a few pointers.

Your access list is inbound on the outside interface, so I will not block any outbound traffic from your network.

>access-list 100 remark ******* Implicit DENY ALL *******
>access-list 100 deny icmp any any
>access-list 100 deny ip any any
>access-list 100 remark ******* end of access list *******
There is an implicit deny any any at the end of every access list, so these lines serves absolutely no purpose unless you log what is denied. Use the "log" keyword

access-list 100 deny ip any any log

This will help with troubleshooting the ACL and to log any unauthorised attemtps to access your network.

I would recreate the access list and have the line "permit tcp any any established" right at the top of the list.

If you want to host your own FTP server, you need to configure the router to forward inbound FTP traffic that hit your outside interface to a private address (of your FTP server) in your 192.168.137.0 range.
ip nat inside source static tcp 192.168.137.xx 21 interface ethernet 0/0 21
ip nat inside source static tcp 192.168.137.xx 20 interface ethernet 0/0 20

For SMTP mail server and web server
ip nat inside source static tcp 192.168.137.xx 25 interface ethernet 0/0 25
ip nat inside source static tcp 192.168.137.xx 80 interface ethernet 0/0 80

Hope this helps.

**Zachary** · 23-04-2009

To resolve this problem, add the ScreenBadTlds registry entry and restart DNS client service. Adding this registry entry prevents the DNS client service from performing the test to determine whether the top level domain is supported.

To add this registry entry and restart DNS client service, follow these steps.

1. Click Start, and then click Run, type regedit in Open box, and then press ENTER.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

3. On the Edit menu, point to New, and then click DWORD Value.

4. Type ScreenBadTlds, and then press ENTER.

5. Right-click ScreenBadTlds, and then click Modify.

6. In the Value data box, type 0, and then click OK.

7. Exit Registry Editor.

8. Stop and then start the DNS client service. To do so:

a. Click Start, and then click Run.

b. In the Open box, type cmd, and then click OK.

c. At the command prompt, type the following lines. Press ENTER after each line

net stop DNScache
net start DNScache

d. Type exit to quit Command Prompt.

**Sanith** · 23-04-2009

Hello nzemke,

Any of the time have you taken your site to the Online ?If yes have you check the bandwidth port provided to you,is it able to manage the traffic?

Have talk about this problem with your web hoster ?

And the message "could not find host" which you have received may have some different issues please asked to your hoster first and let me know,till that I will find some more solutions for you.

Regards

**nzemke** · 23-04-2009

Originally Posted by Sanith

Hello nzemke,

Any of the time have you taken your site to the Online ?If yes have you check the bandwidth port provided to you,is it able to manage the traffic?

Have talk about this problem with your web hoster ?

And the message "could not find host" which you have received may have some different issues please asked to your hoster first and let me know,till that I will find some more solutions for you.

Regards

We are on Fiber here and have not had any problems with the network connection and hosting multiple sites off of the nix box. Up until a week ago I had a cheap wireless router in the 2611's place and just forwarded port 80 to the Nix box.