No, I don't want SDM to be accessible from outside.  I want SDM accessible from inside but when an HTTPS request comes from outside I want it to be routed to an internal server, a completely separate machine.  Is that possible?

DO I have to turn SDM off to get this to work?

hi kim,

there's no need to turn off SDM in this case.

you can configure static NAT/port forwarding on your 1841 via CLI using the command below. see useful URL:

ip nat inside source static

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

alternatively, you can also configure this via SDM by clicking Configure > NAT > Advanced NAT.

I added two static NAT/PAT rules but they aren't working.  The first 3 rules work OK and do what I expect but the last two don't appear to work.

ip nat inside source static tcp 10.10.1.3 25 12.13.14.15 25 extendable

ip nat inside source static tcp 10.10.1.3 80 12.13.14.15 80 extendable

ip nat inside source static tcp 10.10.1.3 1723 12.13.14.15 1723 extendable

ip nat inside source static tcp 10.10.1.2 443 12.13.14.15 443 extendable

ip nat inside source static tcp 10.10.1.2 443 12.13.14.15 444 extendable

SDM.  I just wanted it to get a quick template but it doesn't work in two major ways.  When I used the firewall wizard it failed at one command a short way in.  I eventually copied the rules it suggested and pasted them one by one into the CLI.  Two of the suggested rules failed.  After doing that SDM recognised the config but the other major problem is I can't edit rules with SDM.  I never get the edit rules window.

Here's my config .  I've disabled SDM for now as it doesn't work and removed most of the SDM stuff.

1841#show run
Building configuration...

Current configuration : 6742 bytes
!
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname 1841
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.151-4.M4.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 xxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
!
!         
!
ip cef
ip domain name removed.com
ip name-server 13.14.15.16
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-removed
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-removed
 revocation-check none
 rsakeypair TP-self-signed-removed
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-removed
 certificate self-signed 01
  removed
       quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
!
!
license udi pid CISCO1841 sn removed
!

shutdown vlan 10

username removed privilege 15 secret n removed
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
! 
!
!
!
!
!
!
interface FastEthernet0/0
 description ADSL WAN connection
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface FastEthernet0/1
 description new network$ES_LAN$
 ip address 10.10.1.1 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/0/0
 switchport trunk native vlan 1
 switchport mode trunk
 no ip address
!
interface Vlan1
 ip address 10.255.255.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description ADSL WAN Dialer$FW_OUTSIDE$
 ip address negotiated
 no ip unreachables
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp chap hostname removed@removed.net
 ppp chap password n removed
 ppp pap sent-username removed@removed.net password n removed
 ppp ipcp route default
 no cdp enable
!
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 10.10.1.3 25 12.13.14.15 25 extendable
ip nat inside source static tcp 10.10.1.3 80 12.13.14.15 80 extendable
ip nat inside source static tcp 10.10.1.2 443 12.13.14.15 443 extendable
ip nat inside source static tcp 10.10.1.3 1723 12.13.14.15 1723 extendable
!
logging trap debugging
logging facility local6
access-list 10 remark SDM_ACL Category=18
access-list 10 permit 10.255.255.3
access-list 10 permit 10.10.0.0 0.0.255.255
access-list 23 permit 10.10.0.0 0.0.255.255
access-list 23 remark SDM_ACL Category=17
dialer-list 1 protocol ip permit
no cdp run
!         
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login authentication local_auth
 transport input ssh
line vty 5 15
 access-class 23 in
 login authentication local_auth
 transport input ssh
!
scheduler allocate 20000 1000
end

1841#

Hi Kim,

There's a discrepancy between the static NAT from your previous post versus the show run given. Which NAT line isn't working. You've mentioned 3 NAT lines are working (for 10.10.1.3). Is port 443 opened (for 10.10.1.2) in your firewall?

Sent from Cisco Technical Support iPhone App

I took out the 444 line for now:

ip nat inside source static tcp 10.10.1.2 443 12.13.14.15 444 extendable

The line:

ip nat inside source static tcp 10.10.1.2 443 12.13.14.15 443 extendable

Doesn't work.  The others to 10.10.1.3 do.

You said:

Is port 443 opened (for 10.10.1.2) in your firewall?

The config you see there, is it.  I'm not sure ports 80, 25 and 1723 are opened. I don't see anything special for them and yet they work and 443 doesn't.  Sorry, I must be overlooking something obvious here.

Could you telnet to 10.10.1.2 using port 443 from the 1841?

Make sure the host 10.10.1.2 has the correct IP settings and is able to ping DG 10.10.1.1.

Sent from Cisco Technical Support iPhone App

I can but it's not conclusive.  The 1841 reports:

1841# telnet 10.10.1.2 443
Trying 10.10.1.2, 443 ... Open

then nothing.  Which is what happens when I telnet from another host at 10.10.1.4 (on the same subnet or from inside my network which comes through 10.10.1.3).  Other hosts can browse to https://10.10.1.2 and on linux or BSD machines the command:

openssl s_client -connect 10.10.1.2:443

Gets suitable results. 

But from outside going through the cisco nothing.  The cisco can ping 10.10.1.2.  I'm not sure I can get it to ping back, I don't know how. 

I *can* run a packet capture on 10.10.1.2 and it shows ping and telnet from the cisco.  It shows an https session from inside the network.  When I try a session from outside I see no packets.

I just tried an nmap scan of the 1841 from outside and it shows ports 25, 80 and 1723 open but 443 filtered.  So I guess the 1841 is blocking 443.  I'm not sure why or how to open it.

On careful examination of the packet capture I find it does show packets coming through the 1841.  The box at 10.10.1.2 is not responding.  It appears not to be routing.  Sorry.  Thanks for your help.