cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2505
Views
0
Helpful
7
Replies

Cannot forwarding port 80,443 on cisco 1941

Yes, I know the CLI command format

IP nat inside source static <protocol> <inside IP address> <inside port #> <Inside Global IP or Interface> <External Portx>

And I can  forwarding any port other than 80 and 443 on my router.

I mean I can forwarding port like 22 for ssh, 3389 for remote desktop.

But I just can not  forwarding port 80 and port 443.

Cisco 1941 have a "Cisco Configuration Professional Express" webpage embedded. 

So I wipe off that page by delete /force /recursive flash0:/ccpexp

and I config this line

no IP HTTP server

no IP HTTP security-server

 

But still can not forwarding port 80 and 443.

Any suggestion?

1 Accepted Solution

Accepted Solutions

Your connection looks fine. Can you confirm whether 443 is running at 10.1.1.111 and reachable by executing below command from your Router ?

 

Telnet 10.1.1.111 443

 

You should see connection "Open" once u execute above command

View solution in original post

7 Replies 7

Muhammad Awais Khan
Cisco Employee
Cisco Employee

Hi,

 

Are you able to execute the command ? I just tested on my 1111 router, there is no restriction to use 443 and 80 as long as you disable " ip http server and ip http secure-server"

 

i use this command "ip nat inside source static tcp 192.168.2.10 443 interface GigabitEthernet0/0/0 443"

 

i would be interested to see your complete config, can you share it ?

sure! here's my config:

version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hello
!
boot-start-marker
boot system flash0:/c1900-universalk9-mz.SPA.156-3.M1.bin
boot-end-marker
!
!
ip dhcp excluded-address 10.1.1.1 10.1.1.100
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 192.168.1.1 192.168.1.96
!
ip dhcp pool wifi-192subnet-pool
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.1.1
!
ip dhcp pool 172subnet-pool
network 172.16.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 172.16.1.1
!
ip dhcp pool 10subnet-pool
network 10.1.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.1.1.1
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
switchport access vlan 10
no ip address
!
interface GigabitEthernet0/1/1
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http port 8080
ip http authentication local
no ip http secure-server
ip http secure-port 4443
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.1.1.111 443 interface GigabitEthernet0/0 443
ip ssh maxstartups 3
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 permit 172.16.1.0 0.0.0.255

 

access-list 100 deny ip 222.186.0.0 0.0.255.255 any log
access-list 100 deny ip host 65.49.20.67 any log
access-list 100 deny ip host 51.91.78.152 any log
access-list 100 deny ip 218.92.0.0 0.0.0.255 any log
access-list 100 permit ip any any
!
control-plane host
!
control-plane
!
line con 0
logging synchronous
speed 115200
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0
transport input ssh
line vty 1 4
transport input none
!
end

 

Your connection looks fine. Can you confirm whether 443 is running at 10.1.1.111 and reachable by executing below command from your Router ?

 

Telnet 10.1.1.111 443

 

You should see connection "Open" once u execute above command

Thank you. I know u wants to make sure that my service is actually running at Local IP address 10.1.1.111 and listening at port 443.

Yes, I can see connection "Open" because there is a Raspberry PI set up as a VPN server.
I can remote SSH to that server from outside with "ip nat inside source static tcp 10.1.1.111 22 interface GigabitEthernet0/0 22" configured on my router. And I have opened ports 22,80,443,992,5555 on my server. All the ports can be forwarding at my router except ports 80 and 443.
For find out a solution, I have using GNS3 to simulate this configuration. And I CAN forwarding port 443 and 80 in GNS3 simulate. BUT the configuration doesn't work on my physical router cisco 1941. I have tried so many times before I post this question. cry... :(

Hi,

  

    Have you tried upgrading the router?

 

Regards,
Cristian Matei.

Thank you very much.
To finger out what's wrong of my router, I run GNS3 simulator again, and I chose the same version of ios and even
install the last version of "Cisco CP express" on GNS3.
everything is ok on that virtual router.
Finally, I found out that the fault of my ISP.
I never thought about they block 443 port.
It's also because I am a cisco beginner and I don't have confidence.
I thought it was my configuration problem.
thank you.

First of all, thanks for you help, Muhammad Awais Khan.
Finally, I found out why I can not forward the port. Guest what?
Because of my ISP block the port!
-------------------------------
Why I spend $5/month to get a static IP address? because I want to run my own server in my home!
So I spend a lot of time to find out how to port forwarding on my router.
I try so many times to find out how to configure my router, I even buy a router to support port forwarding.
I never thought about my ISP will block port 443, the most important port in cyberspace.
Finally, I found out it's you! Aussie broadband! block the port!
I need port 80 and 443 to be opened!
That's why I spend 5$ on the static IP Address!
So please, open that port for me!
Thank you!