I'm hoping someone can point me in the right direction.
This concerns a [working] Cisco 871W router.
My goal is to make a web server accessible from internet, and configure an external Dynamic DNS (DynDNS.com) account.
This router has a built-in web-like management interface. So, if I issue "no ip http server" and/or "no ip http secure-server" (at CLI) then all 80/443 traffic is blocked (obviously) -- or could this have something to do with "ip http authentication local" ? (don't use any authentication server) Otherwise, attempting to reach the TomCat server using the WAN IP address gets me the login box for the management interface... or nothing all (timeout).
Before you ask: yes, NAT readily maps port 80 (or 443, I can't map both) to the internal 10.x.x.x port 8443 address on the LAN side.
So how do I disable or let HTTP traffic pass-through the management interface, and what's the syntax to configure a Dynamic DNS server account? I couldn't find a clear example in the IOS docs.
Here is a list of the ACLs (should that be the problem) :
PS: Public IPs edited for security reasons -- WAN IP ends with 228.15; DNS' end with 231.246 and 231.247.
access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip .228.0 0.0.3.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit udp host .231.247 eq domain host .228.15 access-list 101 permit udp host .231.246 eq domain host .228.15 access-list 101 deny ip 10.10.10.0 0.0.0.255 any access-list 101 permit icmp any host .228.15 echo- reply access-list 101 permit icmp any host .228.15 time- exceeded access-list 101 permit icmp any host .228.15 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any
I think what might be missing is ...
access-list 101 permit tcp any eq 80 host .228.15 access-list 101 permit tcp any eq 443 host .228.15
... just before the first 'deny' line in ACL 101.
Any help would ge greatly appreciated! Thanks!
PS: Email is a decoy -- please reply within thread.