04-04-2020 05:37 PM - edited 04-05-2020 03:09 AM
Yes, I know the CLI command format
IP nat inside source static <protocol> <inside IP address> <inside port #> <Inside Global IP or Interface> <External Portx>
And I can forwarding any port other than 80 and 443 on my router.
I mean I can forwarding port like 22 for ssh, 3389 for remote desktop.
But I just can not forwarding port 80 and port 443.
Cisco 1941 have a "Cisco Configuration Professional Express" webpage embedded.
So I wipe off that page by delete /force /recursive flash0:/ccpexp
and I config this line
no IP HTTP server
no IP HTTP security-server
But still can not forwarding port 80 and 443.
Any suggestion?
Solved! Go to Solution.
04-04-2020 10:17 PM - edited 04-04-2020 10:17 PM
Your connection looks fine. Can you confirm whether 443 is running at 10.1.1.111 and reachable by executing below command from your Router ?
Telnet 10.1.1.111 443
You should see connection "Open" once u execute above command
04-04-2020 08:29 PM
Hi,
Are you able to execute the command ? I just tested on my 1111 router, there is no restriction to use 443 and 80 as long as you disable " ip http server and ip http secure-server"
i use this command "ip nat inside source static tcp 192.168.2.10 443 interface GigabitEthernet0/0/0 443"
i would be interested to see your complete config, can you share it ?
04-04-2020 09:14 PM
sure! here's my config:
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hello
!
boot-start-marker
boot system flash0:/c1900-universalk9-mz.SPA.156-3.M1.bin
boot-end-marker
!
!
ip dhcp excluded-address 10.1.1.1 10.1.1.100
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.1.1 192.168.1.96
!
ip dhcp pool wifi-192subnet-pool
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.1.1
!
ip dhcp pool 172subnet-pool
network 172.16.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 172.16.1.1
!
ip dhcp pool 10subnet-pool
network 10.1.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.1.1.1
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
switchport access vlan 10
no ip address
!
interface GigabitEthernet0/1/1
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http port 8080
ip http authentication local
no ip http secure-server
ip http secure-port 4443
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.1.1.111 443 interface GigabitEthernet0/0 443
ip ssh maxstartups 3
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 100 deny ip 222.186.0.0 0.0.255.255 any log
access-list 100 deny ip host 65.49.20.67 any log
access-list 100 deny ip host 51.91.78.152 any log
access-list 100 deny ip 218.92.0.0 0.0.0.255 any log
access-list 100 permit ip any any
!
control-plane host
!
control-plane
!
line con 0
logging synchronous
speed 115200
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0
transport input ssh
line vty 1 4
transport input none
!
end
04-04-2020 10:17 PM - edited 04-04-2020 10:17 PM
Your connection looks fine. Can you confirm whether 443 is running at 10.1.1.111 and reachable by executing below command from your Router ?
Telnet 10.1.1.111 443
You should see connection "Open" once u execute above command
04-05-2020 01:53 AM - edited 04-05-2020 03:08 AM
Thank you. I know u wants to make sure that my service is actually running at Local IP address 10.1.1.111 and listening at port 443.
Yes, I can see connection "Open" because there is a Raspberry PI set up as a VPN server.
I can remote SSH to that server from outside with "ip nat inside source static tcp 10.1.1.111 22 interface GigabitEthernet0/0 22" configured on my router. And I have opened ports 22,80,443,992,5555 on my server. All the ports can be forwarding at my router except ports 80 and 443.
For find out a solution, I have using GNS3 to simulate this configuration. And I CAN forwarding port 443 and 80 in GNS3 simulate. BUT the configuration doesn't work on my physical router cisco 1941. I have tried so many times before I post this question. cry... :(
04-05-2020 05:15 AM
Hi,
Have you tried upgrading the router?
Regards,
Cristian Matei.
04-05-2020 05:42 AM
04-05-2020 05:31 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide