I'm in need of a little IOS help on a problem that has me stumped on my home network.I have a Cisco 887 ADSL modem / router / firewall.I have the modem working fine and can get on the net.I have several servers on the inside of my network which I need to get traffic to from the net. 4 different web servers which will each run on different ports, plus some cameras and home automation gear on some oddball ports. All in all, nothing special.Now here is the strange part, I can port forward to some of the internal IP addresses but not others.My internal network is 192.168.0.0/24My 887 is on 192.168.0.3I have webservers on 192.168.0.1, 192.168.0.2 and 192.168.40 on port 80.Then 192.168.0.41 has two https sites listening on port 7443 and 8443Now, I can set up a NAT port forward absolutely fine that goes from my dynamic internet IP address on to 192.168.0.1 port 80.I can also change in internet listening port to 81, 8080, 7443 and 8443 and these all work fine.This tells me the firewall is fine and there are no issues with the port ACLs.I can also setup a forward to the web admin of the 887 (192.168.0.3) listening on port 80, or 81 etc and that works fine also. So thats two internal addresses working fine.However when I change the rule to point to any one of the other servers ie 192.168.0.40 or 192.168.0.2 or 192.168.0.41 it does not get through to the server. The port appears closed from the internet.As soon as I put it back to 192.168.0.1 or 3, it works again.I can ping both servers from the CLI on the router.All the webservers are running inside the same virtual host on the same piece of cat5.Its running through a cisco switch with nothing special in the config.I have tried adding pretty loose NAT ACL'sI have pretty much disabled the firewallMy full router config is here :http://pastebin.com/SzCNQMN1The lines of interest are here:router ripversion 2 network 192.168.0.0 no auto-summary!no ip classlessip forward-protocol ndip http serverip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000!ip nat inside source list 1 interface Dialer0 overloadip nat inside source static tcp 192.168.0.2 80 interface Dialer0 7443ip route 0.0.0.0 0.0.0.0 Dialer0!ip access-list extended DNS remark CCP_ACL Category=128 permit ip any anyip access-list extended DNS1 remark CCP_ACL Category=128 permit ip any anyip access-list extended SDM_GRE remark CCP_ACL Category=1 permit gre any anyip access-list extended filter_incoming remark CCP_ACL Category=17 permit tcp any any eq 81 permit tcp any any eq www permit udp host 202.27.156.72 eq domain any permit udp host 202.27.158.40 eq domain any remark Auto generated by CCP for NTP (123) 130.123.2.98 permit udp host 130.123.2.98 eq ntp any eq ntp remark Auto generated by CCP for NTP (123) 192.168.0.1 permit udp host 192.168.0.1 eq ntp any eq ntp remark 7443 permit tcp any eq 7443 any eq 7443 permit ip any anyip access-list extended terminal_access remark CCP_ACL Category=17 permit tcp 120.136.4.96 0.0.0.15 any eq 22 permit tcp any any eq 22 deny tcp any any!logging esm configlogging trap debuggingaccess-list 1 remark CCP_ACL Category=18access-list 1 permit 192.168.0.1access-list 1 permit 192.168.0.2access-list 1 permit anyaccess-list 100 remark CCP_ACL Category=128access-list 100 permit ip host 255.255.255.255 anyaccess-list 100 permit ip 127.0.0.0 0.255.255.255 anyaccess-list CCP_ACL Category=0access-list 101 permit ip any host 192.168.0.1access-list 102 remark CCP_ACL Category=0access-list 102 permit ip any host 192.168.0.2no cdp runAny suggestions on what to try next, its had me going round and round in circles for several weeks now and I'm sure when I figure out what it is, I'll be able to get all the other bits working.Thanks in advance.
↧