topic Re: IOS, 881w, port forwarding/redirecting www in Network Security

IOS, 881w, port forwarding/redirecting www

tomws1787 — Mon, 11 Mar 2019 17:08:02 GMT

I'm in over my head with this Cisco router we have (881w). If anyone has a recommendation for some dummy-level reading, I'd appreciate a link or title. Cisco documentation presumes a level of knowledge which I don't have.

My specific problem right now is that I'm trying to port forward/redirect external web access using a specific port to an internal device using the standard www port 80. Details:

External IP: 1.2.3.4
External hostname: alpha.example.com
External port: 8888

Internal IP: 192.168.1.2
Internal port: 80

So, I'm trying to hit http://alpha.example.com:8888 from the web and pull the site from 192.168.1.2. (Incidentally, the direct IP access works internally on the LAN with no problems.)

I've added the following lines to the config. They are just copies of sections that work for opening up remote desktop for some users, the only difference being that I'm using the same port numbers externally and internally for that (e.g. alpha.example.com:5555 => 192.168.1.200:5555).

ip port-map user-protocol--6 port tcp 8888 description Lacie-web-access
!...
class-map type inspect match-any Lacie-nat-web-access
 match protocol user-protocol--6
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-6
 match class-map Lacie-nat-web-access
 match access-group name Lacie-web-access
!...
ip access-list extended Lacie-web-access
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.2
!...
ip nat inside source static tcp 192.168.1.2 80 1.2.3.4 8888 extendable

Again, this works for remote desktop with matching port numbers, so I'm guessing there may be some other http/www traffic restriction that I don't recognize. FWIW, I can't reconfigure the internal device's web port, so I can't test whether the port number mismatch is an issue.

Re: IOS, 881w, port forwarding/redirecting www

tomws1787 — Thu, 11 Feb 2010 21:52:08 GMT

As a test, I've set up Apache on another internal box and changed the listening port to match the incoming port (so, 8888 => 8888). After changing the IP in the config to that box (192.168.1.4), I still have the same problem. Am I correct in assuming this means it's an http traffic rule that's keeping me out?

I also noticed this in the translations list (still using the "new" IP and port for testing) while attemptimg to access the test box:

ant#sh ip nat tr

Pro Inside global         Inside local          Outside local         Outside global

tcp 1.2.3.4:8888   192.168.1.4:8888     192.168.1.102:1366    192.168.1.102:1366

tcp 1.2.3.4:8888   192.168.1.4:8888     ---                   ---

I don't think I specifically mentioned it before, but the browser errors are "connection timed out".

Re: IOS, 881w, port forwarding/redirecting www

johnd2310 — Thu, 11 Feb 2010 23:45:44 GMT

Hi,

Does your external intereface access list allow traffic to 1.2.3.4 port 8888?

Thanks

John

Re: IOS, 881w, port forwarding/redirecting www

tomws1787 — Fri, 12 Feb 2010 02:16:43 GMT

Thanks for the response.

No, it wasn't specifically listed, so I did this:

permit tcp any host 192.168.1.4 eq 8888

That worked. Just for kicks, I tried again with the previous ip permission:

permit ip any host 192.168.1.4

That worked this time. The difference was that I tested it from outside the network unlike my previous post's issue where I was testing from inside. Ugh.

I also did a little more testing while I had that much working. It seems that any port number works as long as the the internal and external ports match. For example, 8888 works, 8765 works, 8880 works, etc. That wouldn't be a problem except, as stated in the original post, the actual device I'm trying to get this working for doesn't allow the http port to be modified. So, I need to be able to redirect a non-standard port to port 80. Is my problem with how I've handled this line?

ip nat inside source static tcp 192.168.1.4 80 1.2.3.4 8888 extendable

Re: IOS, 881w, port forwarding/redirecting www

johnd2310 — Fri, 12 Feb 2010 03:25:40 GMT

Hi,

That command should work. Please post a scrubbed config of the router.

Thanks

John

Re: IOS, 881w, port forwarding/redirecting www

tomws1787 — Fri, 12 Feb 2010 03:44:48 GMT

I've removed the crypto sections and munged a few other fields. Apologies if this is still too much.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ant
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 *hash*
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
service-module wlan-ap 0 bootimage autonomous
!
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.121 10.0.0.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 1.2.3.10 1.2.3.11
   default-router 192.168.1.1
!
!
ip cef
no ip bootp server
ip domain name eapdd.com
ip name-server 1.2.3.10
ip name-server 1.2.3.11
ip port-map user-protocol--2 port tcp 8833 description RDP-2
ip port-map user-protocol--3 port tcp 8829 description RDP-3
ip port-map user-protocol--1 port tcp 8832 description RDP-1
ip port-map user-protocol--6 port tcp 8888 description Lacie-web-access
ip port-map user-protocol--4 port tcp 8830 description RDP-4
ip port-map user-protocol--5 port tcp 8828 description SSH-Fileserver
!
no ipv6 cef
!
multilink bundle-name authenticated

!
!
username myadmin privilege 15 secret 5 *hash*
!
!

!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ftp username cisco881w
ip ftp password 7 *hash*
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any Lacie-nat-web-access
match protocol user-protocol--6
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-6
match class-map Lacie-nat-web-access
match access-group name Lacie-web-access
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any SSH-nat-Fileserver
match protocol user-protocol--5
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-4
match class-map SSH-nat-Fileserver
match access-group name SSH-Fileserver
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any RDP-nat-4
match protocol user-protocol--4
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-3
match class-map RDP-nat-4
match access-group name RDP-4
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any RDP-nat-3
match protocol user-protocol--3
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-2
match class-map RDP-nat-3
match access-group name RDP-3
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any RDP-nat-2
match protocol user-protocol--2
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map RDP-nat-2
match access-group name RDP-2
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any MySymantec
match access-group name MySymantec
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any MY-TFTP
match protocol tftp
class-map type inspect match-all sdm-cls-ccp-inspect-1
match class-map MY-TFTP
match access-group name internal-tftp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-3
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-4
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-6
inspect
class class-default
drop
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect sdm-cls-ccp-inspect-1
inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface Loopback0
ip address 192.168.8.1 255.255.255.0
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 1.2.3.4 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
snmp trap ip verify drop-rate
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group Port25Blocker out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan2
no ip address
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 192.168.1.81 192.168.1.89
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 64.233.136.113
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 20
sort-by bytes
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.111 8828 1.2.3.4 8828 extendable
ip nat inside source static tcp 192.168.1.101 8829 1.2.3.4 8829 extendable
ip nat inside source static tcp 192.168.1.102 8830 1.2.3.4 8830 extendable
ip nat inside source static tcp 192.168.1.105 8832 1.2.3.4 8832 extendable
ip nat inside source static tcp 192.168.1.106 8833 1.2.3.4 8833 extendable
ip nat inside source static tcp 192.168.1.4 80 1.2.3.4 8888 extendable
!
ip access-list extended Lacie-web-access
remark Allow web access to Lacie device
remark CCP_ACL Category=128
permit ip any host 192.168.1.4
permit tcp any host 192.168.1.4 eq 8888
ip access-list extended MySymantec
remark 20090902 Opening for SymantecAV. Manually cloned from SDM_SSH.
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 8014
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 8443
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 9090
ip access-list extended Port25Blocker
remark Block smtp to prevent virus spamming.
remark CCP_ACL Category=1
deny tcp any any eq smtp log
permit ip any any
ip access-list extended RDP-2
remark CCP_ACL Category=128
permit ip any host 192.168.1.106
ip access-list extended RDP-3
remark CCP_ACL Category=128
permit ip any host 192.168.1.101
ip access-list extended RDP-4
remark CCP_ACL Category=128
permit ip any host 192.168.1.102
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SSH-Fileserver
remark CCP_ACL Category=128
permit ip any host 192.168.1.111
ip access-list extended internal-tftp
remark CCP_ACL Category=128
permit ip host 192.168.1.1 host 192.168.1.102
permit ip host 192.168.5.1 host 192.168.1.102
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 permit ip 1.2.3.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.105
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty * *
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Re: IOS, 881w, port forwarding/redirecting www

johnd2310 — Fri, 12 Feb 2010 04:05:18 GMT

Hi,

Have you tried changing "ip nat inside source static tcp 192.168.1.4 80 1.2.3.4 8888 extendable" to "ip nat inside source static tcp 192.168.1.4 80 FastEthernet4 8888"

Re: IOS, 881w, port forwarding/redirecting www

tomws1787 — Fri, 12 Feb 2010 04:22:35 GMT

I just tried that, and I've also previous tried

ip nat inside source static tcp 192.168.1.4 80 64.233.136.114 8888

ip nat inside source static tcp 192.168.1.4 80 interface FastEthernet4 8888 extendable

ip nat inside source static tcp 192.168.1.4 80 interface FastEthernet4 8888

and now

ip nat inside source static tcp 192.168.1.4 80 FastEthernet4 8888

ip nat inside source static tcp 192.168.1.4 80 FastEthernet4 8888 extendable

But for all of them, the conf replace tftp always dies and rolls back, failing to load that single line. I saw that format used on some of the places I've been reading, but mine doesn't like it for some reason. I've even tried removing just the "extendable", but it still fails to load (again, through the conf replace tftp process).

Re: IOS, 881w, port forwarding/redirecting www

johnd2310 — Fri, 12 Feb 2010 05:39:23 GMT

Hi,

You should be able to delete from the command line.

no ip nat inside source static tcp 192.168.1.4 80 64.233.136.114 8888

Re: IOS, 881w, port forwarding/redirecting www

tomws1787 — Fri, 12 Feb 2010 14:26:12 GMT

Ok, doing it from the CLI does allow me to remove and add the lines. So now it has:

ip nat inside source static tcp 192.168.1.4 80 interface FastEthernet4 8888

However, it still doesn't work for the redirection 8888 => 80. But it does still work when the same port number is used on both sides 8888 => 8888.

Re: IOS, 881w, port forwarding/redirecting www

tomws1787 — Sat, 13 Feb 2010 15:17:31 GMT

I'm still getting the same behavior. Does anyone have any suggestions for resolving this?

Re: IOS, 881w, port forwarding/redirecting www

tomws1787 — Mon, 15 Feb 2010 15:49:47 GMT

If no one has suggestions for fixing this, are there any recommendations for forums (or anywhere else) that may be able to help? Maybe I've misunderstood the purpose of this forum.

Re: IOS, 881w, port forwarding/redirecting www

Panos Kampanakis — Mon, 15 Feb 2010 18:10:20 GMT

"However, it still doesn't work for the redirection 8888 => 80. But it does still work when the same port number is used on both sides 8888 => 8888."

If someone is coming from the outside hitting port 8888 and that is sent to your internal server on the same port and it works then port forwarding works.

If it still breaks when you use port 80 to translate 8888 then I could guess that the internal sevrer does not work or listen on port 80. I would assume that portforwarding does not selectively forward port 8888 to 8888 correctly and 8888 to 80 incorrectly.

This forum like any other forum is best effort, I would suggest opening a case with TAC if there are issues the forum cannot address.

Re: IOS, 881w, port forwarding/redirecting www

tomws1787 — Mon, 15 Feb 2010 18:24:42 GMT

Thanks for your response.

I can confirm that the test web server does indeed work when configured for port 80 - from inside the network when using the internal IP directly. Same for any port I've used for testing. A little more testing seems to show that any "cross-port" forward/redirect does not work, though. For example, 8888 => 8765 fails the same as 8888 => 80.

I've found a link for opening a case, so I'll try that route. Will update here with whatever information I receive.