Thank you for your assistance.

My configuration is below:

Current configuration : 7778 bytes
!
! Last configuration change at 14:48:30 UTC Wed Dec 27 2017 by Administrator
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OML-Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9qHo$POp9QrbtGwtqB5WD3CO8c.
enable password !2014CnG!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp bootp ignore
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.10.1 192.168.10.50
!
ip dhcp pool CNG
   network 192.168.10.0 255.255.255.0
   domain-name MyDomain.com
   dns-server 68.9.16.30 68.13.16.30
   netbios-name-server 192.168.10.4
   netbios-node-type h-node
   default-router 192.168.10.1
!
!
no ip bootp server
no ip domain lookup
ip domain name MyDomain.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint localtrust
 enrollment selfsigned
 fqdn sslvpn.MyDomain.com
 subject-name CN=sslvpn.MyDomain.com
 revocation-check crl
 rsakeypair sslvpnkey
!
!

vtp domain MyDomain
vtp mode transparent
username administrator secret 5 $1$..wy$ccrCI4JXctO3miXBun4TK.
!
redundancy
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewall.cx address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group MyDomain vpn
 key sslvpnkey
 dns 68.9.16.30 68.13.16.30
 pool SSLClientPool
 save-password
 include-local-lan
 netmask 255.255.255.0
!
crypto isakmp client configuration group CCLIENT-VPN
 key firewall.cx
 dns 68.9.16.30
 pool SSLClientPool
 acl 150
 max-users 10
crypto isakmp profile vpn-ike-profile-1
   match identity group CCLIENT-VPN
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1
!
!
crypto ipsec client ezvpn omlvpn
 connect auto
 group OMLvpn key sslvpnkey
 mode client
 xauth userid mode interactive
!
!
!
!
!
!
interface GigabitEthernet0/0
 description WAN
 ip address 98.174.86.2 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 media-type sfp
 !
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
interface Virtual-Template2 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
 !
!
ip local pool 192.168.10.201 192.168.10.211 group SSLClientPool
ip local pool SSLClientPool 192.168.10.201 192.168.10.211
ip default-gateway 98.174.86.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool CNG 192.168.10.2 192.168.10.254 netmask 255.255.255.0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.10.4 80 98.174.86.2 80 extendable
ip nat inside source static tcp 192.168.10.4 443 98.174.86.2 443 extendable
ip nat inside source static tcp 192.168.10.10 25 98.174.86.3 25 extendable
ip nat inside source static tcp 192.168.10.10 80 98.174.86.3 80 extendable
ip nat inside source static tcp 192.168.10.10 110 98.174.86.3 110 extendable
ip nat inside source static tcp 192.168.10.10 587 98.174.86.3 587 extendable
ip nat inside source static tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
ip nat inside source static tcp 192.168.10.25 80 98.174.86.4 80 extendable
ip nat inside source static tcp 192.168.10.25 443 98.174.86.4 443 extendable
ip nat inside source static tcp 192.168.10.25 8443 98.174.86.4 8443 extendable
ip nat inside source static tcp 192.168.10.25 8447 98.174.86.4 8447 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 98.174.86.1
!
ip access-list extended ACL-FRAGMENT
 deny   tcp any any fragments
 deny   udp any any fragments
 deny   icmp any any fragments
 deny   ip any any fragments
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
!
no cdp run

!
!
!
!
!
control-plane
 !
!
!
line con 0
line aux 0
line vty 0 4
 password
 transport input ssh
!
scheduler allocate 20000 1000
!
webvpn gateway outside
 ip address 98.174.86.4 port 443
 ssl trustpoint localtrust
 inservice
 !
webvpn gateway OMLwebvpn
 ssl trustpoint localtrust
 no inservice
 !
webvpn install svc flash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
 !
webvpn context outside
 ssl authenticate verify all
 !
 !
 policy group default
 !
 policy group OMLwebvpn
   functions svc-enabled
   svc address-pool "SSLClientPool"
   svc keep-client-installed
   svc split include 192.168.10.0 255.255.255.0
 default-group-policy default
 gateway outside
 ca trustpoint localtrust
 inservice
!
!
webvpn context anyconnect
 ssl authenticate verify all
 !
 no inservice
!
end

R/

Prescott ...

Hello,

thanks for the configuration. I need to lab this first, I'll get back with you...

Please be aware that some parts of the configuration are useless.  Some years ago I was putzing around with VPN packages and getting VPN to work.  Once it worked, I saved changes without removing what didn't work.  Now I cannot remember which is what and so I just left it in there.

R/

Prescott ....

Hello,

it took me a while to figure this one out, Below is what I have come up with. In this configuration, the internal address of the server is 192.168.10.4, and the external address is 98.174.86.3. I don't know if that corresponds with your real web server address, since you have several static NAT translations configured, so you might need to change the addresses accordingly:

interface Loopback0
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip policy route-map LOOP_OUT_RM
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
ip nat outside
!
interface GigabitEthernet0/0
description WAN
ip address 98.174.86.2 255.255.255.224
ip policy route-map OUT_IN_RM
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip policy route-map IN_OUT_RM
ip virtual-reassembly
media-type sfp
!
ip nat pool LAN_HOSTS_NAT_POOL 98.174.86.3 98.174.86.3 prefix-length 27
ip nat inside source list LAN_HOSTS_ACL pool LAN_HOSTS_NAT_POOL overload
ip nat inside source static 192.168.10.4 98.174.86.3 extendable
!
ip access-list extended LAN_HOSTS_ACL
permit ip host 192.168.10.4 any
ip access-list extended LAN_HOSTS_NAT_SRC
permit ip host 98.174.86.3 any
ip access-list extended LAN__HOSTS_NAT_DST
permit ip any host 98.174.86.3
!
route-map LOOP_OUT_RM permit 10
match ip address LAN_HOSTS_NAT_SRC
set interface GigabitEthernet0/0
!
route-map IN_OUT_RM permit 10
match ip address LAN_HOSTS_ACL
set interface Loopback0
!
route-map OUT_IN_RM permit 10
match ip address LAN_HOSTS_NAT_DST
set interface Loopback1

I have no idea how to implement your suggested configuration, "loopback" and "PBR" are Greek to me.  Is there a performance advantage to using your configuration over Paul's "NVI nat" configuration?

Paul,

Given my ignorance of Cisco routers and routers in general, I greatly appreciate the step by step commands and I will attempt to implement your domain-less nat {NVI nat) solution.  I'll update this thread with the results. 

Many thanks to both of you for your assistance.  To be honest, whatever implementation I can make work is the one I'll be going with.

R/

Prescott ...

Hello
On a side note as you are unfamiliar with Cisco I would suggest before you make any changes save your existing config, Then apply the configuration I posted - if you make a mistake and you don’t know how to remove it then just reload the rtr without saving the recently applied config and you will be back to where you started.

So BEFORE any change are made

1) log on rtr
2) write
3) copy running-configuration flash:myrouterconfig.txt
4) apply the NVI nat config I posted previously 

Res
Paul

Paul,

Yes, I've already done that but thanks for the advice.

One question; is there any way I can logon to the router, create a file with the commands in it and then run the file like a script?  I use putty to access the router over the internal network, when I first set up the router I used a cable adapter that converted the 25 pin serial port on my laptop to the phone port on the switch connected to the router and used ssh to connect and configure the router.  I can't use putty because as soon as I delete the public facing interface, I'll lose the connection.  I cannot find the adapter I used and I would need to order a new one (2 weeks), they just don't keep these on the shelf anymore, go figure.  In any event, after searching all day for the adapter it occurred to me that perhaps a script file would work.

R/

Prescott ....

Hello,

in addition to Paul's comments, and I assume you are dealing with a router on a live network, I would test the entire configuration first in a simulator such as GNS3. If everything works in there, I would schedule some downtime (or use after business hours) with ample time for trial and error...

I have physical access to the router so a physical reboot is the way I would go just in case there's a issue.  What I usually do with configuration changes when I implement them is to make changes to the running config and if I screw it up, reboot the router and the original configuration loads.  Once I have everything working, the I execute a "write memory" to save the changes.

R/

Prescott ...

Paul,

Entered the configuration, see command entries below:

Enter configuration commands, one per line.  End with CNTL/Z.
OML-Router(config)#$ool CNG 192.168.10.2 192.168.10.254 netmask 255.255.255.0
OML-Router(config)#no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
OML-Router(config)#no ip route 0.0.0.0 0.0.0.0 98.174.86.1
OML-Router(config)#$nside source list 1 interface GigabitEthernet0/0 overload

Dynamic mapping in use, do you want to delete all entries? [no]: y
OML-Router(config)#$ce static tcp 192.168.10.4 80 98.174.86.2 80 extendable
OML-Router(config)#$ce static tcp 192.168.10.4 443 98.174.86.2 443 extendable
OML-Router(config)#$ce static tcp 192.168.10.10 25 98.174.86.3 25 extendable

Static entry in use, do you want to delete child entries? [no]: y
OML-Router(config)#$ce static tcp 192.168.10.10 80 98.174.86.3 80 extendable
OML-Router(config)#$tcp 192.168.10.10 110 98.174.86.3 110 extendable
OML-Router(config)#$tcp 192.168.10.10 587 98.174.86.3 587 extendable
OML-Router(config)#$tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
OML-Router(config)#$ce static tcp 192.168.10.25 80 98.174.86.4 80 extendable

Static entry in use, do you want to delete child entries? [no]: y
OML-Router(config)#$tcp 192.168.10.25 443 98.174.86.4 443 extendable
OML-Router(config)#$tcp 192.168.10.25 8443 98.174.86.4 8443 extendable
OML-Router(config)#$tcp 192.168.10.25 8447 98.174.86.4 8447 extendable
OML-Router(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 98.174.86.1
OML-Router(config)#ip nat source list 1 interface GigabitEthernet0/0 overload

OML-Router(config)#$ce static tcp 192.168.10.4 80 98.174.86.2 80 extendable

OML-Router(config)#$ce static tcp 192.168.10.4 443 98.174.86.2 443 extendable

OML-Router(config)#$ce static tcp 192.168.10.10 25 98.174.86.3 25 extendable

OML-Router(config)#$ce static tcp 192.168.10.10 80 98.174.86.3 80 extendable

OML-Router(config)#$e static tcp 192.168.10.10 110 98.174.86.3 110 extendable
 

OML-Router(config)#$tcp 192.168.10.10 110 98.174.86.3 110 extendable

OML-Router(config)#$tcp 192.168.10.10 587 98.174.86.3 587 extendable

OML-Router(config)#$tcp 192.168.10.10 1000 98.174.86.3 1000 extendable

OML-Router(config)#$ce static tcp 192.168.10.25 80 98.174.86.4 80 extendable

OML-Router(config)#$tcp 192.168.10.25 443 98.174.86.4 443 extendable

OML-Router(config)#interface GigabitEthernet0/0
OML-Router(config-if)#no ip nat outside
OML-Router(config-if)#ip nat enable
OML-Router(config-if)#interface GigabitEthernet0/1
OML-Router(config-if)#no ip nat inside
OML-Router(config-if)#ip nat enable

Still unable to access my web servers from internal network.  Running config is below:

OML-Router#show running-config
Building configuration...

Current configuration : 7458 bytes
!
! Last configuration change at 21:04:52 UTC Fri Dec 29 2017 by Administrator
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OML-Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9qHo$POp9QrbtGwtqB5WD3CO8c.
enable password !2014CnG!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp bootp ignore
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.10.1 192.168.10.50
!
ip dhcp pool CNG
   network 192.168.10.0 255.255.255.0
   domain-name MyDomain.com
   dns-server 68.9.16.30 68.13.16.30
   netbios-name-server 192.168.10.4
   netbios-node-type h-node
   default-router 192.168.10.1
!
!
no ip bootp server
no ip domain lookup
ip domain name MyDomain.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint localtrust
 enrollment selfsigned
 fqdn sslvpn.organizemyleague.com
 subject-name CN=sslvpn.organizemyleague.com
 revocation-check crl
 rsakeypair sslvpnkey
!
!
!
vtp domain OML
vtp mode transparent
username administrator secret 5 $1$..wy$ccrCI4JXctO3miXBun4TK.
!
redundancy
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewall.cx address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group OMLvpn
 key sslvpnkey
 dns 68.9.16.30 68.13.16.30
 pool SSLClientPool
 save-password
 include-local-lan
 netmask 255.255.255.0
!
crypto isakmp client configuration group CCLIENT-VPN
 key firewall.cx
 dns 68.9.16.30
 pool SSLClientPool
 acl 150
 max-users 10
crypto isakmp profile vpn-ike-profile-1
   match identity group CCLIENT-VPN
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1
!
!
crypto ipsec client ezvpn omlvpn
 connect auto
 group OMLvpn key sslvpnkey
 mode client
 xauth userid mode interactive
!
!
!
!
!
!
interface GigabitEthernet0/0
 description WAN
 ip address 98.174.86.2 255.255.255.224
 ip nat enable
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat enable
 ip virtual-reassembly
 media-type sfp
 !
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
interface Virtual-Template2 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
 !
!
ip local pool 192.168.10.201 192.168.10.211 group SSLClientPool
ip local pool SSLClientPool 192.168.10.201 192.168.10.211
ip default-gateway 98.174.86.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list 1 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.10.4 80 98.174.86.2 80 extendable
ip nat source static tcp 192.168.10.4 443 98.174.86.2 443 extendable
ip nat source static tcp 192.168.10.10 25 98.174.86.3 25 extendable
ip nat source static tcp 192.168.10.10 80 98.174.86.3 80 extendable
ip nat source static tcp 192.168.10.10 110 98.174.86.3 110 extendable
ip nat source static tcp 192.168.10.10 587 98.174.86.3 587 extendable
ip nat source static tcp 192.168.10.10 1000 98.174.86.3 1000 extendable
ip nat source static tcp 192.168.10.25 80 98.174.86.4 80 extendable
ip nat source static tcp 192.168.10.25 443 98.174.86.4 443 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 98.174.86.1
!
ip access-list extended ACL-FRAGMENT
 deny   tcp any any fragments
 deny   udp any any fragments
 deny   icmp any any fragments
 deny   ip any any fragments
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
!
no cdp run

!
!
!
!
!
control-plane
 !
!
!
line con 0
line aux 0
line vty 0 4
 password $@1@3456
 transport input ssh
!
scheduler allocate 20000 1000
!
webvpn gateway outside
 ip address 98.174.86.4 port 443
 ssl trustpoint localtrust
 inservice
 !
webvpn gateway OMLwebvpn
 ssl trustpoint localtrust
 no inservice
 !
webvpn install svc flash0:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
 !
webvpn context outside
 ssl authenticate verify all
 !
 !
 policy group default
 !
 policy group OMLwebvpn
   functions svc-enabled
   svc address-pool "SSLClientPool"
   svc keep-client-installed
   svc split include 192.168.10.0 255.255.255.0
 default-group-policy default
 gateway outside
 ca trustpoint localtrust
 inservice
!
!
webvpn context anyconnect
 ssl authenticate verify all
 !
 no inservice
!
end

Any ideas?

R/

Prescott ....

Paul,

Entered the commands exactly as written and upon ctrl Z I immediately lost the internet.  I could still access local servers using the internal IP address, but nothing external, including this forum.  I had posted a message earlier detailing what I had done (and apparently that message dissapeared when I edited it), but upon entering the commands on the first try, I neglected to "activate" the changes with the ctrl Z.  I still could not access the internal servers on the public IP address.

Any ideas?

R/

Prescott ...