12-27-2017 07:21 AM - edited 03-05-2019 09:41 AM
Hi guys,
I relatively new to routers and how they work and I've been struggling with this issue for months and cannot seem to solve it. I want to access my web server via the public IP address on my internal network. I know it can be done (apparently) by reading the discussion at this link:
But I cannot get it working on my router. Just so you know, I have no idea what I'm doing and I have figured things out by searching the internet for examples (I cannot even tell you what router I have and the version of the software on it, I just don't have any idea how to figure THAT out), but for this issue I'm going to need help. I've read and reread on how things work and they may as well be written in Greek for all that I can understand, so trying to get me to understand how it all works is (apparently) useless. In any event, if someone is willing to work with me in configuring my router I would be forever grateful.
My basic configuration is the Cisco router providing access to the internet and all NAT translations are done on it. I have a wireless Linksys router connected to the Cisco router over which I connect my laptop and other devices that need to access my servers internally over the public IP address from the laptop. I cannot use the host table to solve this problem because the other devices that do not have that capability and they would need to access the server via the public IP address, I currently use the host table on the laptop to access the servers from it but need to change that. Can anyone walk me through this?
R/
Prescott ....
Solved! Go to Solution.
12-28-2017 04:52 PM - edited 01-02-2018 05:03 AM
Hello
To save on configuring additional loopbacks and implementing PBR I would personally enable domain-less nat ( NVI nat)
conf t
no ip nat pool CNG 192.168.10.2 192.168.10.254 netmask 255.255.255.0
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip route 0.0.0.0 0.0.0.0 98.174.86.1
no ip nat inside source list 1 interface GigabitEthernet0/0 overload
no ip nat inside source static tcp 192.168.10.4 80 98.174.86.2 80 extendable
no ip nat inside source static tcp 192.168.10.4 443 98.174.86.2 443 extendable
no ip nat inside source static tcp 192.168.10.10 25 98.174.86.3 25 extendable
no ip nat inside source static tcp 192.168.10.10 80 98.174.86.3 80 extendable
no ip nat inside source static tcp 192.168.10.10 110 98.174.86.3 110 extendable
no ip nat inside source static tcp 192.168.10.10 587 98.174.86.3 587 extendable
no ip nat inside source static tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
no ip nat inside source static tcp 192.168.10.25 80 98.174.86.4 80 extendable
no ip nat inside source static tcp 192.168.10.25 443 98.174.86.4 443 extendable
no ip nat inside source static tcp 192.168.10.25 8443 98.174.86.4 8443 extendable
no ip nat inside source static tcp 192.168.10.25 8447 98.174.86.4 8447 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 98.174.86.1
ip nat source list 1 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.10.4 80 98.174.86.2 80 extendable
ip nat source static tcp 192.168.10.4 443 98.174.86.2 443 extendable
ip nat source static tcp 192.168.10.10 25 98.174.86.3 25 extendable
ip nat source static tcp 192.168.10.10 80 98.174.86.3 80 extendable
ip nat source static tcp 192.168.10.10 110 98.174.86.3 110 extendable
ip nat source static tcp 192.168.10.10 587 98.174.86.3 587 extendable
ip nat source static tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
ip nat source static tcp 192.168.10.25 80 98.174.86.4 80 extendable
ip nat source static tcp 192.168.10.25 443 98.174.86.4 443 extendable
ip nat source static tcp 192.168.10.25 8443 98.174.86.4 8443 extendable
ip nat source static tcp 192.168.10.25 8447 98.174.86.4 8447 extendable
interface GigabitEthernet0/0
no ip nat outside
no ip redirects
ip nat enable
interface GigabitEthernet0/1
no ip nat inside
no ip redirects
ip nat enable
res
Paul
12-27-2017 01:54 PM
Hello,
for NAT hairpinning you could use either policy based routing or NVI (the new way to do NAT). Can you post the configuration of your router so we can fill in the necessary bits and pieces ?
In the meantime, have a look at the post linked below, which discusses this issue...
https://supportforums.cisco.com/t5/wan-routing-and-switching/nat-hairpinning/td-p/2475807
12-27-2017 02:41 PM
Thank you for your assistance.
My configuration is below:
Current configuration : 7778 bytes
!
! Last configuration change at 14:48:30 UTC Wed Dec 27 2017 by Administrator
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OML-Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9qHo$POp9QrbtGwtqB5WD3CO8c.
enable password !2014CnG!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp bootp ignore
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.10.1 192.168.10.50
!
ip dhcp pool CNG
network 192.168.10.0 255.255.255.0
domain-name MyDomain.com
dns-server 68.9.16.30 68.13.16.30
netbios-name-server 192.168.10.4
netbios-node-type h-node
default-router 192.168.10.1
!
!
no ip bootp server
no ip domain lookup
ip domain name MyDomain.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint localtrust
enrollment selfsigned
fqdn sslvpn.MyDomain.com
subject-name CN=sslvpn.MyDomain.com
revocation-check crl
rsakeypair sslvpnkey
!
!
vtp domain MyDomain
vtp mode transparent
username administrator secret 5 $1$..wy$ccrCI4JXctO3miXBun4TK.
!
redundancy
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewall.cx address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group MyDomain vpn
key sslvpnkey
dns 68.9.16.30 68.13.16.30
pool SSLClientPool
save-password
include-local-lan
netmask 255.255.255.0
!
crypto isakmp client configuration group CCLIENT-VPN
key firewall.cx
dns 68.9.16.30
pool SSLClientPool
acl 150
max-users 10
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
!
crypto ipsec client ezvpn omlvpn
connect auto
group OMLvpn key sslvpnkey
mode client
xauth userid mode interactive
!
!
!
!
!
!
interface GigabitEthernet0/0
description WAN
ip address 98.174.86.2 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
media-type sfp
!
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
!
ip local pool 192.168.10.201 192.168.10.211 group SSLClientPool
ip local pool SSLClientPool 192.168.10.201 192.168.10.211
ip default-gateway 98.174.86.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool CNG 192.168.10.2 192.168.10.254 netmask 255.255.255.0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.10.4 80 98.174.86.2 80 extendable
ip nat inside source static tcp 192.168.10.4 443 98.174.86.2 443 extendable
ip nat inside source static tcp 192.168.10.10 25 98.174.86.3 25 extendable
ip nat inside source static tcp 192.168.10.10 80 98.174.86.3 80 extendable
ip nat inside source static tcp 192.168.10.10 110 98.174.86.3 110 extendable
ip nat inside source static tcp 192.168.10.10 587 98.174.86.3 587 extendable
ip nat inside source static tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
ip nat inside source static tcp 192.168.10.25 80 98.174.86.4 80 extendable
ip nat inside source static tcp 192.168.10.25 443 98.174.86.4 443 extendable
ip nat inside source static tcp 192.168.10.25 8443 98.174.86.4 8443 extendable
ip nat inside source static tcp 192.168.10.25 8447 98.174.86.4 8447 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 98.174.86.1
!
ip access-list extended ACL-FRAGMENT
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password
transport input ssh
!
scheduler allocate 20000 1000
!
webvpn gateway outside
ip address 98.174.86.4 port 443
ssl trustpoint localtrust
inservice
!
webvpn gateway OMLwebvpn
ssl trustpoint localtrust
no inservice
!
webvpn install svc flash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
webvpn context outside
ssl authenticate verify all
!
!
policy group default
!
policy group OMLwebvpn
functions svc-enabled
svc address-pool "SSLClientPool"
svc keep-client-installed
svc split include 192.168.10.0 255.255.255.0
default-group-policy default
gateway outside
ca trustpoint localtrust
inservice
!
!
webvpn context anyconnect
ssl authenticate verify all
!
no inservice
!
end
R/
Prescott ...
12-27-2017 03:12 PM
Hello,
thanks for the configuration. I need to lab this first, I'll get back with you...
12-27-2017 04:16 PM
Please be aware that some parts of the configuration are useless. Some years ago I was putzing around with VPN packages and getting VPN to work. Once it worked, I saved changes without removing what didn't work. Now I cannot remember which is what and so I just left it in there.
R/
Prescott ....
12-28-2017 01:18 PM
Hello,
it took me a while to figure this one out, Below is what I have come up with. In this configuration, the internal address of the server is 192.168.10.4, and the external address is 98.174.86.3. I don't know if that corresponds with your real web server address, since you have several static NAT translations configured, so you might need to change the addresses accordingly:
interface Loopback0
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip policy route-map LOOP_OUT_RM
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
ip nat outside
!
interface GigabitEthernet0/0
description WAN
ip address 98.174.86.2 255.255.255.224
ip policy route-map OUT_IN_RM
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip policy route-map IN_OUT_RM
ip virtual-reassembly
media-type sfp
!
ip nat pool LAN_HOSTS_NAT_POOL 98.174.86.3 98.174.86.3 prefix-length 27
ip nat inside source list LAN_HOSTS_ACL pool LAN_HOSTS_NAT_POOL overload
ip nat inside source static 192.168.10.4 98.174.86.3 extendable
!
ip access-list extended LAN_HOSTS_ACL
permit ip host 192.168.10.4 any
ip access-list extended LAN_HOSTS_NAT_SRC
permit ip host 98.174.86.3 any
ip access-list extended LAN__HOSTS_NAT_DST
permit ip any host 98.174.86.3
!
route-map LOOP_OUT_RM permit 10
match ip address LAN_HOSTS_NAT_SRC
set interface GigabitEthernet0/0
!
route-map IN_OUT_RM permit 10
match ip address LAN_HOSTS_ACL
set interface Loopback0
!
route-map OUT_IN_RM permit 10
match ip address LAN_HOSTS_NAT_DST
set interface Loopback1
12-28-2017 04:52 PM - edited 01-02-2018 05:03 AM
Hello
To save on configuring additional loopbacks and implementing PBR I would personally enable domain-less nat ( NVI nat)
conf t
no ip nat pool CNG 192.168.10.2 192.168.10.254 netmask 255.255.255.0
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip route 0.0.0.0 0.0.0.0 98.174.86.1
no ip nat inside source list 1 interface GigabitEthernet0/0 overload
no ip nat inside source static tcp 192.168.10.4 80 98.174.86.2 80 extendable
no ip nat inside source static tcp 192.168.10.4 443 98.174.86.2 443 extendable
no ip nat inside source static tcp 192.168.10.10 25 98.174.86.3 25 extendable
no ip nat inside source static tcp 192.168.10.10 80 98.174.86.3 80 extendable
no ip nat inside source static tcp 192.168.10.10 110 98.174.86.3 110 extendable
no ip nat inside source static tcp 192.168.10.10 587 98.174.86.3 587 extendable
no ip nat inside source static tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
no ip nat inside source static tcp 192.168.10.25 80 98.174.86.4 80 extendable
no ip nat inside source static tcp 192.168.10.25 443 98.174.86.4 443 extendable
no ip nat inside source static tcp 192.168.10.25 8443 98.174.86.4 8443 extendable
no ip nat inside source static tcp 192.168.10.25 8447 98.174.86.4 8447 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 98.174.86.1
ip nat source list 1 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.10.4 80 98.174.86.2 80 extendable
ip nat source static tcp 192.168.10.4 443 98.174.86.2 443 extendable
ip nat source static tcp 192.168.10.10 25 98.174.86.3 25 extendable
ip nat source static tcp 192.168.10.10 80 98.174.86.3 80 extendable
ip nat source static tcp 192.168.10.10 110 98.174.86.3 110 extendable
ip nat source static tcp 192.168.10.10 587 98.174.86.3 587 extendable
ip nat source static tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
ip nat source static tcp 192.168.10.25 80 98.174.86.4 80 extendable
ip nat source static tcp 192.168.10.25 443 98.174.86.4 443 extendable
ip nat source static tcp 192.168.10.25 8443 98.174.86.4 8443 extendable
ip nat source static tcp 192.168.10.25 8447 98.174.86.4 8447 extendable
interface GigabitEthernet0/0
no ip nat outside
no ip redirects
ip nat enable
interface GigabitEthernet0/1
no ip nat inside
no ip redirects
ip nat enable
res
Paul
12-28-2017 06:00 PM
Georg,
I have no idea how to implement your suggested configuration, "loopback" and "PBR" are Greek to me. Is there a performance advantage to using your configuration over Paul's "NVI nat" configuration?
Paul,
Given my ignorance of Cisco routers and routers in general, I greatly appreciate the step by step commands and I will attempt to implement your domain-less nat {NVI nat) solution. I'll update this thread with the results.
Many thanks to both of you for your assistance. To be honest, whatever implementation I can make work is the one I'll be going with.
R/
Prescott ...
12-29-2017 02:29 AM - edited 12-29-2017 02:38 AM
Hello
On a side note as you are unfamiliar with Cisco I would suggest before you make any changes save your existing config, Then apply the configuration I posted - if you make a mistake and you don’t know how to remove it then just reload the rtr without saving the recently applied config and you will be back to where you started.
So BEFORE any change are made
1) log on rtr
2) write
3) copy running-configuration flash:myrouterconfig.txt
4) apply the NVI nat config I posted previously
Res
Paul
12-29-2017 07:26 AM
Paul,
Yes, I've already done that but thanks for the advice.
One question; is there any way I can logon to the router, create a file with the commands in it and then run the file like a script? I use putty to access the router over the internal network, when I first set up the router I used a cable adapter that converted the 25 pin serial port on my laptop to the phone port on the switch connected to the router and used ssh to connect and configure the router. I can't use putty because as soon as I delete the public facing interface, I'll lose the connection. I cannot find the adapter I used and I would need to order a new one (2 weeks), they just don't keep these on the shelf anymore, go figure. In any event, after searching all day for the adapter it occurred to me that perhaps a script file would work.
R/
Prescott ....
12-29-2017 08:05 AM
Hello,
in addition to Paul's comments, and I assume you are dealing with a router on a live network, I would test the entire configuration first in a simulator such as GNS3. If everything works in there, I would schedule some downtime (or use after business hours) with ample time for trial and error...
12-29-2017 08:47 AM
12-29-2017 09:58 AM
I have physical access to the router so a physical reboot is the way I would go just in case there's a issue. What I usually do with configuration changes when I implement them is to make changes to the running config and if I screw it up, reboot the router and the original configuration loads. Once I have everything working, the I execute a "write memory" to save the changes.
R/
Prescott ...
12-29-2017 01:04 PM - edited 12-29-2017 01:29 PM
Paul,
Entered the configuration, see command entries below:
Enter configuration commands, one per line. End with CNTL/Z.
OML-Router(config)#$ool CNG 192.168.10.2 192.168.10.254 netmask 255.255.255.0
OML-Router(config)#no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
OML-Router(config)#no ip route 0.0.0.0 0.0.0.0 98.174.86.1
OML-Router(config)#$nside source list 1 interface GigabitEthernet0/0 overload
Dynamic mapping in use, do you want to delete all entries? [no]: y
OML-Router(config)#$ce static tcp 192.168.10.4 80 98.174.86.2 80 extendable
OML-Router(config)#$ce static tcp 192.168.10.4 443 98.174.86.2 443 extendable
OML-Router(config)#$ce static tcp 192.168.10.10 25 98.174.86.3 25 extendable
Static entry in use, do you want to delete child entries? [no]: y
OML-Router(config)#$ce static tcp 192.168.10.10 80 98.174.86.3 80 extendable
OML-Router(config)#$tcp 192.168.10.10 110 98.174.86.3 110 extendable
OML-Router(config)#$tcp 192.168.10.10 587 98.174.86.3 587 extendable
OML-Router(config)#$tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
OML-Router(config)#$ce static tcp 192.168.10.25 80 98.174.86.4 80 extendable
Static entry in use, do you want to delete child entries? [no]: y
OML-Router(config)#$tcp 192.168.10.25 443 98.174.86.4 443 extendable
OML-Router(config)#$tcp 192.168.10.25 8443 98.174.86.4 8443 extendable
OML-Router(config)#$tcp 192.168.10.25 8447 98.174.86.4 8447 extendable
OML-Router(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 98.174.86.1
OML-Router(config)#ip nat source list 1 interface GigabitEthernet0/0 overload
OML-Router(config)#$ce static tcp 192.168.10.4 80 98.174.86.2 80 extendable
OML-Router(config)#$ce static tcp 192.168.10.4 443 98.174.86.2 443 extendable
OML-Router(config)#$ce static tcp 192.168.10.10 25 98.174.86.3 25 extendable
OML-Router(config)#$ce static tcp 192.168.10.10 80 98.174.86.3 80 extendable
OML-Router(config)#$e static tcp 192.168.10.10 110 98.174.86.3 110 extendable
OML-Router(config)#$tcp 192.168.10.10 110 98.174.86.3 110 extendable
OML-Router(config)#$tcp 192.168.10.10 587 98.174.86.3 587 extendable
OML-Router(config)#$tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
OML-Router(config)#$ce static tcp 192.168.10.25 80 98.174.86.4 80 extendable
OML-Router(config)#$tcp 192.168.10.25 443 98.174.86.4 443 extendable
OML-Router(config)#interface GigabitEthernet0/0
OML-Router(config-if)#no ip nat outside
OML-Router(config-if)#ip nat enable
OML-Router(config-if)#interface GigabitEthernet0/1
OML-Router(config-if)#no ip nat inside
OML-Router(config-if)#ip nat enable
Still unable to access my web servers from internal network. Running config is below:
OML-Router#show running-config
Building configuration...
Current configuration : 7458 bytes
!
! Last configuration change at 21:04:52 UTC Fri Dec 29 2017 by Administrator
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OML-Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9qHo$POp9QrbtGwtqB5WD3CO8c.
enable password !2014CnG!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp bootp ignore
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.10.1 192.168.10.50
!
ip dhcp pool CNG
network 192.168.10.0 255.255.255.0
domain-name MyDomain.com
dns-server 68.9.16.30 68.13.16.30
netbios-name-server 192.168.10.4
netbios-node-type h-node
default-router 192.168.10.1
!
!
no ip bootp server
no ip domain lookup
ip domain name MyDomain.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint localtrust
enrollment selfsigned
fqdn sslvpn.organizemyleague.com
subject-name CN=sslvpn.organizemyleague.com
revocation-check crl
rsakeypair sslvpnkey
!
!
!
vtp domain OML
vtp mode transparent
username administrator secret 5 $1$..wy$ccrCI4JXctO3miXBun4TK.
!
redundancy
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewall.cx address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group OMLvpn
key sslvpnkey
dns 68.9.16.30 68.13.16.30
pool SSLClientPool
save-password
include-local-lan
netmask 255.255.255.0
!
crypto isakmp client configuration group CCLIENT-VPN
key firewall.cx
dns 68.9.16.30
pool SSLClientPool
acl 150
max-users 10
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
!
crypto ipsec client ezvpn omlvpn
connect auto
group OMLvpn key sslvpnkey
mode client
xauth userid mode interactive
!
!
!
!
!
!
interface GigabitEthernet0/0
description WAN
ip address 98.174.86.2 255.255.255.224
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.10.1 255.255.255.0
ip nat enable
ip virtual-reassembly
media-type sfp
!
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
!
ip local pool 192.168.10.201 192.168.10.211 group SSLClientPool
ip local pool SSLClientPool 192.168.10.201 192.168.10.211
ip default-gateway 98.174.86.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list 1 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.10.4 80 98.174.86.2 80 extendable
ip nat source static tcp 192.168.10.4 443 98.174.86.2 443 extendable
ip nat source static tcp 192.168.10.10 25 98.174.86.3 25 extendable
ip nat source static tcp 192.168.10.10 80 98.174.86.3 80 extendable
ip nat source static tcp 192.168.10.10 110 98.174.86.3 110 extendable
ip nat source static tcp 192.168.10.10 587 98.174.86.3 587 extendable
ip nat source static tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
ip nat source static tcp 192.168.10.25 80 98.174.86.4 80 extendable
ip nat source static tcp 192.168.10.25 443 98.174.86.4 443 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 98.174.86.1
!
ip access-list extended ACL-FRAGMENT
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
!
no cdp run
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password $@1@3456
transport input ssh
!
scheduler allocate 20000 1000
!
webvpn gateway outside
ip address 98.174.86.4 port 443
ssl trustpoint localtrust
inservice
!
webvpn gateway OMLwebvpn
ssl trustpoint localtrust
no inservice
!
webvpn install svc flash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
!
webvpn context outside
ssl authenticate verify all
!
!
policy group default
!
policy group OMLwebvpn
functions svc-enabled
svc address-pool "SSLClientPool"
svc keep-client-installed
svc split include 192.168.10.0 255.255.255.0
default-group-policy default
gateway outside
ca trustpoint localtrust
inservice
!
!
webvpn context anyconnect
ssl authenticate verify all
!
no inservice
!
end
Any ideas?
R/
Prescott ....
12-29-2017 01:42 PM
Paul,
Entered the commands exactly as written and upon ctrl Z I immediately lost the internet. I could still access local servers using the internal IP address, but nothing external, including this forum. I had posted a message earlier detailing what I had done (and apparently that message dissapeared when I edited it), but upon entering the commands on the first try, I neglected to "activate" the changes with the ctrl Z. I still could not access the internal servers on the public IP address.
Any ideas?
R/
Prescott ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide