Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
4
Replies

Port Forward 80 problem

GEORGE POLYZOS
Level 1
Level 1

‎04-22-2015 02:23 PM - edited ‎03-05-2019 01:18 AM

Hello

My problem is that I can't port forward 80 Port

I used the following commands

cisco123(config)#ip nat inside source static tcp 10.10.10.25 80 interface Dialer0 80
cisco123(config)#ip nat inside source static tcp 10.10.10.25 443 interface Dialer0 443

ip access-list extended 199
permit tcp any host 10.10.10.25 eq www

I want outside Internet users to access web server with address 10.10.10.25 .How is it possible?

 

Thank you very much

 

Please have a look at the running configuration.

 

 

Building configuration...

Current configuration : 6714 bytes
!
! Last configuration change at 22:38:31 Athens Wed Apr 22 2015
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco123
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$5qyB$qWoRHktpS/D3aoImKdyU21
enable password
!
no aaa new-model
memory-size iomem 10
clock timezone Athens 2 0
clock summer-time Athens date Mar 30 2003 3:00 Oct 26 2003 4:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1627569428
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
!
!

        quit
ip source-route
!
!
!
!
!
ip cef
ip name-server 193.92.150.3
ip name-server 194.219.227.2
ip port-map user-protocol--1 port tcp 26433
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1715948E
!
!
!
!
!
!
controller VDSL 0
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description FORTHNET
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 description $FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username
 ppp ipcp dns request
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.25 80 interface Dialer0 80
ip nat inside source static tcp 10.10.10.25 443 interface Dialer0 443
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 199 permit ip any any
access-list 199 permit tcp any host 10.10.10.25 eq www
dialer-list 1 protocol ip permit
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password
 login
 transport input all
!
end

 

 

 

 

Labels:
0 Helpful
4 Replies 4

paul driver
VIP
VIP

‎04-26-2015 02:31 AM

Hello

Cisco recommends not to use nat acl to thats define any any

Try:

no IP access 199

ip access-list 199 permit IP 10.10.10.0 0.0.0.255 any

 

also your ZBF class map for nat is looking for a acl of 101 and I don't see that in your config

sdm-nat-user-protocol--1-1
 match access-group 101

 

res

paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

GEORGE POLYZOS
Level 1
Level 1
In response to paul driver

‎04-26-2015 01:10 PM

I followed your advice although the problem remains . I don't have access-list 101

Thank you for your help

 

My current running-config

 

Building configuration...

Current configuration : 6812 bytes
!
! Last configuration change at 21:04:37 Athens Sun Apr 26 2015
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco123
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5
enable password
!
no aaa new-model
memory-size iomem 10
clock timezone Athens 2 0
clock summer-time Athens date Mar 30 2003 3:00 Oct 26 2003 4:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1627569428
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
!
!

ip source-route
!
!
!
!
!
ip cef
ip name-server 193.92.150.3
ip name-server 194.219.227.2
ip port-map user-protocol--1 port tcp 26433
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1715948E
!
!
!
!
!
!
controller VDSL 0
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-all c1
 match access-group 199
 match protocol http
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zon
 service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description FORTHNET
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 description $FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username ibmagd@otenet.gr password 0 exelon6*
 ppp ipcp dns request
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.25 80 interface Dialer0 80
ip nat inside source static tcp 10.10.10.25 443 interface Dialer0 443
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 199 permit ip 10.10.10.0 0.0.0.255 any
access-list 199 permit tcp any host 10.10.10.25 eq www
dialer-list 1 protocol ip permit
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password
 login
 transport input all
!
end

0 Helpful

paul driver
VIP
VIP
In response to GEORGE POLYZOS

‎04-27-2015 01:42 AM

Hello

Your still showing some remiance  of the 199 acl OP

please do the following:

no IP access 199
ip access-list 199 permit IP 10.10.10.0 0.0.0.255 any

ip nat inside source static tcp 1 0.10.10.25 80  x.x.x.x  80 extendable
ip nat inside source static tcp 1 0.10.10.25 443  x.x.x.x   443 extendable

and also still your ZBW class map is still set to match on acl 101 which you dont seem to have

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

GEORGE POLYZOS
Level 1
Level 1
In response to paul driver

‎04-27-2015 08:15 AM

I did the following

(config)#ip access-list extended 199

(config-ext-nacl)#no ip access-list extended 199

(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any

(config) ip nat inside source static tcp 10.10.10.25 80  x.x.x.x  80 extendable
(config) ip nat inside source static tcp 10.10.10.25 443  x.x.x.x   443 extendable

Is this right?

Thank you

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card