04-22-2015 02:23 PM - edited 03-05-2019 01:18 AM
Hello
My problem is that I can't port forward 80 Port
I used the following commands
cisco123(config)#ip nat inside source static tcp 10.10.10.25 80 interface Dialer0 80
cisco123(config)#ip nat inside source static tcp 10.10.10.25 443 interface Dialer0 443
ip access-list extended 199
permit tcp any host 10.10.10.25 eq www
I want outside Internet users to access web server with address 10.10.10.25 .How is it possible?
Thank you very much
Please have a look at the running configuration.
Building configuration...
Current configuration : 6714 bytes
!
! Last configuration change at 22:38:31 Athens Wed Apr 22 2015
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco123
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$5qyB$qWoRHktpS/D3aoImKdyU21
enable password
!
no aaa new-model
memory-size iomem 10
clock timezone Athens 2 0
clock summer-time Athens date Mar 30 2003 3:00 Oct 26 2003 4:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1627569428
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
quit
ip source-route
!
!
!
!
!
ip cef
ip name-server 193.92.150.3
ip name-server 194.219.227.2
ip port-map user-protocol--1 port tcp 26433
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1715948E
!
!
!
!
!
!
controller VDSL 0
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description FORTHNET
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username
ppp ipcp dns request
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.25 80 interface Dialer0 80
ip nat inside source static tcp 10.10.10.25 443 interface Dialer0 443
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 199 permit ip any any
access-list 199 permit tcp any host 10.10.10.25 eq www
dialer-list 1 protocol ip permit
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password
login
transport input all
!
end
04-26-2015 02:31 AM
Hello
Cisco recommends not to use nat acl to thats define any any
Try:
no IP access 199
ip access-list 199 permit IP 10.10.10.0 0.0.0.255 any
also your ZBF class map for nat is looking for a acl of 101 and I don't see that in your config
sdm-nat-user-protocol--1-1
match access-group 101
res
paul
04-26-2015 01:10 PM
I followed your advice although the problem remains . I don't have access-list 101
Thank you for your help
My current running-config
Building configuration...
Current configuration : 6812 bytes
!
! Last configuration change at 21:04:37 Athens Sun Apr 26 2015
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco123
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5
enable password
!
no aaa new-model
memory-size iomem 10
clock timezone Athens 2 0
clock summer-time Athens date Mar 30 2003 3:00 Oct 26 2003 4:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1627569428
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
ip source-route
!
!
!
!
!
ip cef
ip name-server 193.92.150.3
ip name-server 194.219.227.2
ip port-map user-protocol--1 port tcp 26433
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1715948E
!
!
!
!
!
!
controller VDSL 0
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all c1
match access-group 199
match protocol http
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zon
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description FORTHNET
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ibmagd@otenet.gr password 0 exelon6*
ppp ipcp dns request
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.25 80 interface Dialer0 80
ip nat inside source static tcp 10.10.10.25 443 interface Dialer0 443
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 199 permit ip 10.10.10.0 0.0.0.255 any
access-list 199 permit tcp any host 10.10.10.25 eq www
dialer-list 1 protocol ip permit
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password
login
transport input all
!
end
04-27-2015 01:42 AM
Hello
Your still showing some remiance of the 199 acl OP
please do the following:
no IP access 199
ip access-list 199 permit IP 10.10.10.0 0.0.0.255 any
ip nat inside source static tcp 1 0.10.10.25 80 x.x.x.x 80 extendable
ip nat inside source static tcp 1 0.10.10.25 443 x.x.x.x 443 extendable
and also still your ZBW class map is still set to match on acl 101 which you dont seem to have
res
Paul
04-27-2015 08:15 AM
I did the following
(config)#ip access-list extended 199
(config-ext-nacl)#no ip access-list extended 199
(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any
(config) ip nat inside source static tcp 10.10.10.25 80 x.x.x.x 80 extendable
(config) ip nat inside source static tcp 10.10.10.25 443 x.x.x.x 443 extendable
Is this right?
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide