Hi all,
I'm hoping someone can point me in the right direction.
This concerns a [working] Cisco 871W router.
My goal is to make a web server accessible from internet, and
configure an external Dynamic DNS (DynDNS.com) account.
Two problems:
This router has a built-in web-like management interface. So, if I
issue "no ip http server" and/or "no ip http secure-server" (at CLI)
then all 80/443 traffic is blocked (obviously) -- or could this have
something to do with "ip http authentication local" ? (don't use any
authentication server) Otherwise, attempting to reach the TomCat
server using the WAN IP address gets me the login box for the
management interface... or nothing all (timeout).
Before you ask: yes, NAT readily maps port 80 (or 443, I can't map
both) to the internal 10.x.x.x port 8443 address on the LAN side.
So how do I disable or let HTTP traffic pass-through the management
interface, and what's the syntax to configure a Dynamic DNS server
account? I couldn't find a clear example in the IOS docs.
Here is a list of the ACLs (should that be the problem) :
PS: Public IPs edited for security reasons -- WAN IP ends with 228.15;
DNS' end with 231.246 and 231.247.
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall
configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip <network.prefix>.228.0 0.0.3.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall
configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host <network.prefix>.231.247 eq domain
host <network.prefix>.228.15
access-list 101 permit udp host <network.prefix>.231.246 eq domain
host <network.prefix>.228.15
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any host <network.prefix>.228.15 echo-
reply
access-list 101 permit icmp any host <network.prefix>.228.15 time-
exceeded
access-list 101 permit icmp any host <network.prefix>.228.15
unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
I think what might be missing is ...
access-list 101 permit tcp any eq 80 host <network.prefix>.228.15
access-list 101 permit tcp any eq 443 host <network.prefix>.228.15
.... just before the first 'deny' line in ACL 101.
Any help would ge greatly appreciated!
Thanks!
M.T.
PS: Email is a decoy -- please reply within thread.
|
Similar Threads
Linear Mode
