The firewall admin at my hosting provider says port 80 is being forwarded to my server's private IP (10.0.0.2), but I can't get through on that port.

Inside the firewall (in a virtual session hosted by Windows Terminal Services) I can confirm with a netstat -an command that the server is listening on port 80. And the browser connects successfully to the default web site via any of the following URLs:

http://10.0.0.2
http://10.0.0.2:80
http://127.0.0.1
http://127.0.0.1:80

Further, from the inside session, if I use the commands:
TELNET 10.0.0.2 80
or
TELNET 127.0.0.1 80

I get a connection, and issuing a subsequent GET retrieves what I think is an appropriate error message from the HTTP server:

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Sat, 04 Oct 2003 20:26:41 GMT
Content-Type: text/html
Content-Length: 87

<html><head><title>Error</title></head><body>The parameter is incorrect. </body>
</html>

Connection to host lost.


But from outside the firewall, I cannot connect to port 80 by any means.

For example:

C:>telnet nnn.nnn.nnn.nnn 80
Connecting To nnn.nnn.nnn.nnn...Could not open a connection to host on port 80 : Connect failed

And a;browsing to http:///nnn.nnn.nnn.nnn gets a "The page cannot be displayed .... Cannot find server" error.

What am I missing?

TIA

Talk to your ISP Administrators again. It's probable that they didn't set it up correctly. (the firewalls that is)

(I can't access either)

Why is your hosting provider doing NAT (and PAT)?

Surely they can just give you an external IP?

I am sure the ISP have their reasons and as one of the many, you just live with it, or move if you can.

Originally posted by security
Why is your hosting provider doing NAT (and PAT)?

Surely they can just give you an external IP?

I have an external, static IP at the firewall level. But the firewall, which the hosting provider manages on our behalf, does the NAT to private IPs in the 10.0.0.0 - 10.0.0.255 range. As far as I know, that is normal and acceptable practice.

The problem right now is that this is not working as it is supposed to. Either the firewall admin has made a mistake, or I have. My basic reason for posting is to seek advice on anything I might be overlooking on the server config, which is my responsibility; I already have asked the firewall admin to recheck his own work.

You do know that you can setup firewall rules for an IP without using NAT...

I'd really like to know who your host is.

Originally posted by security
You do know that you can setup firewall rules for an IP without using NAT...

I'd really like to know who your host is.
The host is ThePlanet, and this is not meant as a complaint against them (although this may turn out to be a config mistake on their end, and it is frustrating that they only do firewall administration M-F 9-6).

This is an entry-level, unmanaged server, bundled with firewall admin services on the relatively low-end firewall appliance. (Sorry, the firewall brand name slips my aging mind at the moment, and I'm trying to work from home without my usual references. I do know that it's not one of the big names such as Cisco or Checkpoint; that would be too expensive for this entry-level setup.)

The firewall is set up to do NAT to static, private IPs (not DHCP). I have no problem at all with that architecture, so long as it works.

Just to put closure on this for the record, the firewall admin looked at the problem today, said there was no problem, and did not indicate that he had changed anything.

Now it works. Go figure.