Beste mede tweakers,
Ik zit met volgend probleem waarvoor ik al enige tijd een oplossing aan het zoeken ben.
Ik heb een cpanel server draaien met daarop een aantal websites. Die draait al ettelijke jaren.
Sinds kort stuit ik tegen problemen met het curl commando. Dat moet een antwoord geven voor een aantal websites.
Ik krijg enkel het antwoord "permission denied".
Ik had hiervoor een ticket geopend bij cpanel:
Hello,
Thank you for contacting cPanel Technical Support. My name is Alex.
I see you're experiencing issues curl'ing a website hosted on your own server. In this case, this is evidence of a NAT misconfiguration:
Loopback NAT on this IP address appears to be defective
The website appears to be loading fine from my workstation, though:
I am confident the knowledge shared in the above article will guide you towards solving the issue you have outlined in this request. Would you please review the article and let me know if you have any outstanding questions or concerns?
It’s been a pleasure working with you on this issue, and I hope you are satisfied with the experience!
Thank you,
Alex Jankowiak
Goed OK. Dus ben ik naar een oplossing opzoek gegaan om dit netwerktechnisch op te lossen.
Er draait een Cisco 3845 ISR router (omwille van de vele interfaces die gebruikt worden en de kostprijs van een nieuw toestel moet deze nog even voldoen. Er komt eind dit jaar een fortigate firewall).
Onderstaande is de huidige configuratie:
Een oplossing bestaat uit Nat Virtual Interface. Dan kan ik aan NAT loopback doen en werkt alles wel. Alleen is dit zoals overal te lezen is zwaar belastend voor de CPU van de router en nefast voor de snelheid. (dan behoud ik van de huidige snelheid 1/3de.
Er zijn nog andere oplossingen mogelijk via een loopback interface (heb ik gelezen). Alleen begrijp ik niet goed de opzet daarvan. Moet er dan gewerkt worden met policy maps voor elk nat statement of hoe gaat dit juist in zijn werk?
Kan iemand van jullie mij even assisteren om voor NAT loopback:hairpinning/NAt reflection/... tot een oplossing te komen die minder belastend is voor de router?
Dat mag eventueel met extra uitleg... ik leer graag bij.
Ik zit met volgend probleem waarvoor ik al enige tijd een oplossing aan het zoeken ben.
Ik heb een cpanel server draaien met daarop een aantal websites. Die draait al ettelijke jaren.
Sinds kort stuit ik tegen problemen met het curl commando. Dat moet een antwoord geven voor een aantal websites.
Ik krijg enkel het antwoord "permission denied".
Ik had hiervoor een ticket geopend bij cpanel:
Hello,
Thank you for contacting cPanel Technical Support. My name is Alex.
I see you're experiencing issues curl'ing a website hosted on your own server. In this case, this is evidence of a NAT misconfiguration:
Loopback NAT on this IP address appears to be defective
The website appears to be loading fine from my workstation, though:
I am confident the knowledge shared in the above article will guide you towards solving the issue you have outlined in this request. Would you please review the article and let me know if you have any outstanding questions or concerns?
It’s been a pleasure working with you on this issue, and I hope you are satisfied with the experience!
Thank you,
Alex Jankowiak
Goed OK. Dus ben ik naar een oplossing opzoek gegaan om dit netwerktechnisch op te lossen.
Er draait een Cisco 3845 ISR router (omwille van de vele interfaces die gebruikt worden en de kostprijs van een nieuw toestel moet deze nog even voldoen. Er komt eind dit jaar een fortigate firewall).
Onderstaande is de huidige configuratie:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
| ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Cisco3845 ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 6 logging buffered 4096 debugging logging console critical ! aaa new-model ! ! aaa authentication login default local aaa authentication login local_auth local aaa authentication ppp default local aaa authentication ppp VPDN_AUTH local aaa authorization exec default local ! aaa session-id common no network-clock-participate slot 1 no network-clock-participate slot 2 no ip source-route no ip gratuitous-arps ip cef ! ! ip dhcp excluded-address 10.10.10.1 ! ! no ip bootp server ip domain name ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip inspect audit-trail ip inspect max-incomplete high 1100 ip inspect max-incomplete low 700 ip inspect one-minute low 500 ip inspect one-minute high 1100 ip inspect udp idle-time 200 ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect tcp synwait-time 20 ip inspect tcp max-incomplete host 200 block-time 30 ip inspect name firewall icmp ip inspect name firewall tcp ip inspect name firewall udp ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 login block-for 10 attempts 3 within 10 vpdn enable vpdn source-ip 195.130.x.x ! vpdn-group 1 ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! ! appfw policy-name http-inspect application http content-type-verification match-req-rsp action allow alarm max-header-length request 1 response 1 action allow alarm max-uri-length 60 action reset alarm port-misuse default action reset alarm request-method rfc get action allow alarm audit-trail on ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-4270858707 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4270858707 revocation-check none rsakeypair TP-self-signed-4270858707 ! ! archive log config logging enable ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map match-any SDM-Transactional-1 match dscp af21 match dscp af22 match dscp af23 class-map match-any SDM-Signaling-1 match dscp cs3 match dscp af31 class-map match-any Voice-Traffic match ip dscp ef class-map match-any SDM-Routing-1 match dscp cs6 class-map match-any SDM-Voice-1 match dscp ef class-map match-any Voice-Signal match ip dscp cs3 match ip dscp af31 class-map match-any Video match ip dscp af41 class-map match-any SDM-Management-1 match dscp cs2 ! ! policy-map Voip class Voice-Traffic priority 20 class Voice-Signal bandwidth percent 40 class Video class class-default shape average 100000000 ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 5 encr aes authentication pre-share group 2 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key address no-xauth crypto isakmp key address 0.0.0.0 0.0.0.0 no-xauth crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 periodic crypto isakmp nat keepalive 3600 ! ! crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set l2tppjk esp-3des esp-sha-hmac mode transport ! crypto ipsec profile VPN_S set transform-set ESP-AES128-SHA ! ! crypto dynamic-map l2tppjk-map 10 set nat demux set transform-set l2tppjk ! ! crypto map cisco 10 ipsec-isakmp dynamic l2tppjk-map ! ! ! ! interface Tunnel0 description "VPN S" ip unnumbered GigabitEthernet0/0 tunnel source 195.130.x.x tunnel destination x tunnel mode ipsec ipv4 tunnel protection ipsec profile VPN_S ! interface GigabitEthernet0/0 description De buitenwereld WAN ip address 195.130.x.x 255.255.255.248 ip access-group 120 in ip verify unicast source reachable-via rx allow-default 102 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect autosec_inspect out ip virtual-reassembly no ip mroute-cache duplex auto speed auto media-type rj45 no cdp enable no mop enabled crypto map cisco ! interface GigabitEthernet0/1 description "Lokaal LAN" ip address 10.10.10.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip inspect firewall in ip virtual-reassembly ip route-cache same-interface ip route-cache flow ip tcp adjust-mss 1452 duplex auto speed auto media-type rj45 no mop enabled ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface GigabitEthernet0/1/0 description "reserve" no ip address ip access-group 120 in ip verify unicast source reachable-via rx allow-default 102 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect autosec_inspect out ip virtual-reassembly no ip mroute-cache shutdown negotiation auto no cdp enable no mop enabled crypto map cisco ! interface FastEthernet1/0 description "Guest network LAN interface" ip address 10.10.20.1 255.255.255.0 ip access-group 110 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip inspect firewall in ip virtual-reassembly ip route-cache same-interface ip route-cache flow ip tcp adjust-mss 1452 duplex auto speed auto no mop enabled ! interface FastEthernet1/1 description "Voice VLAN interface" ip address 10.10.30.1 255.255.255.0 ip access-group 115 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip inspect firewall in ip virtual-reassembly ip route-cache same-interface ip route-cache flow ip tcp adjust-mss 1452 duplex auto speed auto no mop enabled service-policy output Voip ! interface FastEthernet2/0 description "Customer LAN " ip address 10.10.40.1 255.255.255.0 ip access-group 117 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip inspect firewall in ip virtual-reassembly ip route-cache same-interface ip route-cache flow ip tcp adjust-mss 1452 duplex auto speed auto no mop enabled ! interface FastEthernet2/1 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! interface Virtual-Template1 description "VPN Verbinding met Iphones" ip unnumbered GigabitEthernet0/0 ip access-group 130 in ip nat inside ip virtual-reassembly load-interval 30 peer default ip address pool PPTP-Pool no keepalive ppp encrypt mppe 128 ppp authentication chap ms-chap ms-chap-v2 VPDN_AUTH ppp ipcp dns 10.10.10.80 10.10.10.81 ! interface Vlan1 no ip address ! ip local pool PPTP-Pool 10.10.50.30 10.10.50.40 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 195.130.x.x ip route 10.10.100.0 255.255.255.0 Tunnel0 ip route 192.168.2.0 255.255.255.0 Tunnel0 ip route 192.168.3.0 255.255.255.0 Tunnel0 ip route 192.168.4.0 255.255.255.0 Tunnel0 ip route 192.168.6.0 255.255.255.0 Tunnel0 ip route 192.168.7.0 255.255.255.0 Tunnel0 ip route 192.168.8.0 255.255.255.0 Tunnel0 ip route 192.168.9.0 255.255.255.0 Tunnel0 ip route 192.168.11.0 255.255.255.0 Tunnel0 ip route 192.168.12.0 255.255.255.0 Tunnel0 ip route 192.168.13.0 255.255.255.0 Tunnel0 ip route 192.168.14.0 255.255.255.0 Tunnel0 ip route 192.168.15.0 255.255.255.0 Tunnel0 ip route 192.168.254.0 255.255.255.0 Tunnel0 ip route 193.100.100.0 255.255.255.0 Tunnel0 ! ! no ip http server no ip http secure-server ip nat pool NAT-POOL 10.10.10.0 10.10.10.255 netmask 255.255.255.0 ip nat pool NAT-POOL-GUEST 10.10.20.0 10.10.20.255 netmask 255.255.255.0 ip nat pool NAT-POOL-VOICE 10.10.30.0 10.10.30.255 netmask 255.255.255.0 ip nat pool NAT-POOL-CUST 10.10.40.0 10.10.40.255 netmask 255.255.255.0 ip nat pool VPNPHONE-POOL 10.10.50.0 10.10.50.255 netmask 255.255.255.0 ip nat inside source list 100 interface GigabitEthernet0/0 overload ip nat inside source list 110 interface GigabitEthernet0/0 overload ip nat inside source list 115 interface GigabitEthernet0/0 overload ip nat inside source list 117 interface GigabitEthernet0/0 overload ip nat inside source list 130 interface GigabitEthernet0/0 overload ip nat inside source static udp 10.10.30.51 5060 interface GigabitEthernet0/0 5060 ip nat inside source static tcp 10.10.10.55 1 195.130.x.x 1 extendable ip nat inside source static tcp 10.10.10.55 20 195.130.x.x 20 extendable ip nat inside source static tcp 10.10.10.55 21 195.130.x.x 21 extendable ip nat inside source static tcp 10.10.10.55 22 195.130.x.x 22 extendable ip nat inside source static tcp 10.10.10.55 25 195.130.x.x 25 extendable ip nat inside source static tcp 10.10.10.55 26 195.130.x.x 26 extendable ip nat inside source static tcp 10.10.10.55 37 195.130.x.x 37 extendable ip nat inside source static tcp 10.10.10.55 53 195.130.x.x 53 extendable ip nat inside source static udp 10.10.10.55 53 195.130.x.x 53 extendable ip nat inside source static tcp 10.10.10.55 80 195.130.x.x 80 extendable ip nat inside source static tcp 10.10.10.55 110 195.130.x.x 110 extendable ip nat inside source static tcp 10.10.10.55 143 195.130.x.x 143 extendable ip nat inside source static tcp 10.10.10.55 443 195.130.x.x 443 extendable ip nat inside source static tcp 10.10.10.55 465 195.130.x.x 465 extendable ip nat inside source static tcp 10.10.10.55 587 195.130.x.x 587 extendable ip nat inside source static tcp 10.10.10.55 993 195.130.x.x 993 extendable ip nat inside source static tcp 10.10.10.55 995 195.130.x.x 995 extendable ip nat inside source static tcp 10.10.10.55 2077 195.130.x.x 2077 extendable ip nat inside source static tcp 10.10.10.55 2078 195.130.x.x 2078 extendable ip nat inside source static tcp 10.10.10.55 2079 195.130.x.x 2079 extendable ip nat inside source static tcp 10.10.10.55 2080 195.130.x.x 2080 extendable ip nat inside source static tcp 10.10.10.55 2082 195.130.x.x 2082 extendable ip nat inside source static tcp 10.10.10.55 2083 195.130.x.x 2083 extendable ip nat inside source static tcp 10.10.10.55 2086 195.130.x.x 2086 extendable ip nat inside source static tcp 10.10.10.55 2087 195.130.x.x 2087 extendable ip nat inside source static tcp 10.10.10.55 2095 195.130.x.x 2095 extendable ip nat inside source static tcp 10.10.10.55 2096 195.130.x.x 2096 extendable ip nat inside source static tcp 10.10.10.55 3306 195.130.x.x 3306 extendable ip nat inside source static tcp 10.10.10.50 80 195.130.x.x 80 extendable ip nat inside source static tcp 10.10.10.50 443 195.130.x.x 443 extendable ip nat inside source static tcp 10.10.10.80 25 195.130.x.x 25 extendable ip nat inside source static tcp 10.10.10.80 80 195.130.x.x 80 extendable ip nat inside source static tcp 10.10.10.80 110 195.130.x.x 110 extendable ip nat inside source static tcp 10.10.10.80 443 195.130.x.x 443 extendable ip nat inside source static tcp 10.10.10.30 3128 195.130.x.x 3128 extendable ! ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any ! logging trap debugging logging facility local2 access-list 1 permit any access-list 100 permit tcp 10.10.10.0 0.0.0.255 any access-list 100 permit udp any any range bootps bootpc access-list 100 permit udp 10.10.10.0 0.0.0.255 any access-list 100 permit icmp 10.10.10.0 0.0.0.255 any access-list 100 permit esp 10.10.10.0 0.0.0.255 any access-list 100 permit pim 10.10.10.0 0.0.0.255 any access-list 100 deny ip 192.168.168.0 0.0.0.255 any access-list 100 deny ip any any access-list 101 permit ip 192.168.168.0 0.0.0.255 any access-list 102 permit udp any any eq bootpc access-list 110 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 access-list 110 permit udp any any range bootps bootpc access-list 110 deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 110 permit icmp 10.10.20.0 0.0.0.255 any access-list 110 permit tcp 10.10.20.0 0.0.0.255 any access-list 110 permit udp 10.10.20.0 0.0.0.255 any access-list 110 permit esp 10.10.20.0 0.0.0.255 any access-list 110 deny ip any any access-list 115 permit tcp 10.10.30.0 0.0.0.255 any access-list 115 permit udp any any range bootps bootpc access-list 115 permit udp 10.10.30.0 0.0.0.255 any access-list 115 permit esp 10.10.30.0 0.0.0.255 any access-list 115 permit icmp 10.10.30.0 0.0.0.255 any access-list 115 deny ip any any access-list 117 deny ip 10.10.10.0 0.0.0.255 10.10.40.0 0.0.0.255 access-list 117 deny ip 10.10.40.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 117 permit udp any any range bootps bootpc access-list 117 permit tcp 10.10.40.0 0.0.0.255 any access-list 117 permit udp 10.10.40.0 0.0.0.255 any access-list 117 permit esp 10.10.40.0 0.0.0.255 any access-list 117 permit icmp 10.10.40.0 0.0.0.255 any access-list 117 deny ip any any access-list 120 permit tcp 84.197.75.0 0.0.0.255 host 195.130.157.148 eq pop3 access-list 120 permit tcp any host 195.130.x.x eq www access-list 120 permit tcp any host 195.130.x.x eq 1 access-list 120 permit tcp any host 195.130.x.x eq ftp-data ... access-list 130 permit tcp 10.10.50.0 0.0.0.255 any access-list 130 permit udp 10.10.50.0 0.0.0.255 any access-list 130 permit icmp 10.10.50.0 0.0.0.255 any access-list 130 permit esp 10.10.50.0 0.0.0.255 any access-list 130 permit gre 10.10.50.0 0.0.0.255 any access-list 130 deny ip any any no cdp run ! ! ! control-plane ! bridge 1 protocol ieee ! ! ! mgcp behavior g729-variants static-pt ! ! ! ! ! Authorized access only! banner motd ====================================================== Alleen voor bevoegd personeel! Niet bevoegd? Oprotten! ====================================================== ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet line aux 0 exec-timeout 15 0 login authentication local_auth transport output telnet line vty 0 4 privilege level 15 password 7 02050D4808090E25414707 login authentication local_auth transport input telnet ssh line vty 5 15 login authentication local_auth transport input telnet ssh ! scheduler allocate 20000 1000 ! end |
Een oplossing bestaat uit Nat Virtual Interface. Dan kan ik aan NAT loopback doen en werkt alles wel. Alleen is dit zoals overal te lezen is zwaar belastend voor de CPU van de router en nefast voor de snelheid. (dan behoud ik van de huidige snelheid 1/3de.
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| ip nat source list 100 interface GigabitEthernet0/0 overload ip nat source list 110 interface GigabitEthernet0/0 overload ip nat source list 115 interface GigabitEthernet0/0 overload ip nat source list 117 interface GigabitEthernet0/0 overload ip nat source list 130 interface GigabitEthernet0/0 overload ip nat source static udp 10.10.30.51 5060 interface GigabitEthernet0/0 5060 ip nat source static tcp 10.10.10.55 1 195.130.x.x 1 extendable ip nat source static tcp 10.10.10.55 20 195.130.x.x 20 extendable ip nat source static tcp 10.10.10.55 21 195.130.x.x 21 extendable ip nat source static tcp 10.10.10.55 22 195.130.x.x 22 extendable ip nat source static tcp 10.10.10.55 25 195.130.x.x 25 extendable ip nat source static tcp 10.10.10.55 26 195.130.x.x 26 extendable ip nat source static tcp 10.10.10.55 37 195.130.x.x 37 extendable ip nat source static tcp 10.10.10.55 53 195.130.x.x 53 extendable ip nat source static udp 10.10.10.55 53 195.130.x.x 53 extendable ip nat source static tcp 10.10.10.55 80 195.130.x.x 80 extendable ... interface GigabitEthernet0/0 ip nat enable no ip redirects interface GigabitEthernet0/1 ip nat enable no ip redirects interface FastEthernet1/0 ip nat enable no ip redirects interface FastEthernet1/1 ip nat enable no ip redirects interface FastEthernet2/0 ip nat enable no ip redirects interface Virtual-Template1 ip nat enable no ip redirects |
Er zijn nog andere oplossingen mogelijk via een loopback interface (heb ik gelezen). Alleen begrijp ik niet goed de opzet daarvan. Moet er dan gewerkt worden met policy maps voor elk nat statement of hoe gaat dit juist in zijn werk?
Kan iemand van jullie mij even assisteren om voor NAT loopback:hairpinning/NAt reflection/... tot een oplossing te komen die minder belastend is voor de router?
Dat mag eventueel met extra uitleg... ik leer graag bij.