[CISCO 870] pb pour config srv WEB vu l'exter

Bonjour,

J'ai un CISCO 871, et j'ai besoin d'installer un serveur WEB derierre mon CISCO (sur vlan2).
Actuellement, disont que j'ai (je change les adresses IP question de sécurité):
* Adresse externe: 1.1.1.73 (du FAI)
* Adresse externe du CISCO: 1.1.1.74/29
* Adresse du serveur WEB: 1.1.1.75/29
(si je branche mon serveur WEB avant avec un switch, ça marche)


MAIS, quand je le mets deriere le CISCO sur VLAN2, et avec la config suivante, ça marche plus
(nota: je change evidemment mon SrvWEB en 192.168.2.75/24 et passerelle sur vlan2 du cisco)

j'ai lu les doc sur le DMZ et le NAT mais rien...

SVP,EST CE QUE QUELQU'UN PEUX ME DIRE MON ERREUR?



cisco#sh conf
Using 7254 out of 131072 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server ServerDNS
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 dns
!
appfw policy-name DEFAULT100
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application im msn
service default action reset
service text-chat action reset
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail off
application http
port-misuse im action reset alarm
port-misuse p2p action reset alarm
application im yahoo
service default action reset
service text-chat action reset
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail off
!
!
crypto pki trustpoint TP-self-signed-2373701719
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2373701719
revocation-check none
rsakeypair TP-self-signed-2373701719
!
!
crypto pki certificate chain TP-self-signed-2373701719
certificate self-signed 01 nvram:IOS-Self-Sig#3907.cer
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_DEFAULT100
class sdm_p2p_gnutella
drop
class sdm_p2p_bittorrent
drop
class sdm_p2p_edonkey
drop
class sdm_p2p_kazaa
drop
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 1.1.1.74 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
service-policy input sdmappfwp2p_DEFAULT100
service-policy output sdmappfwp2p_DEFAULT100
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.2.254 255.255.255.0
ip nat outside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.73
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.254 80 interface FastEthernet4 80
ip nat outside source static tcp 192.168.1.75 80 1.1.1.75 80 extendable
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 1.1.1.72 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 1.1.1.75 eq www
access-list 101 permit tcp any host 1.1.1.74 eq www
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 1.1.1.74 echo-reply
access-list 101 permit icmp any host 1.1.1.74 time-exceeded
access-list 101 permit icmp any host 1.1.1.74 unreachable
access-list 101 deny ip 192.168.2.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 permit ip any any
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end