Hi John:

First, thank you for your reply. Here is what I got when merging your NAT

commands :

The Cisco IOS returned the following messages when attempting to merge your

changes to the configuration.

Destination filename ?

% similar static entry (172.20.1.10 -> 24.106.44.210) already exists

int fa0/0

^

% Invalid input detected at '^' marker.

ip access-group WebTraffic in

^

% Invalid input detected at '^' marker.

ip nat outside

% Incomplete command.

int fa0/1

^

% Invalid input detected at '^' marker.

ip nat inside

% Incomplete command.

142 bytes copied in 18.080 secs (8 bytes/sec)

Below is the text from the ACL modification

Destination filename ?

permit tcp any host eq 80

^

% Invalid input detected at '^' marker.

Here is what Cisco tech support suggested (didn't work):

interface FastEthernet 0

ip address 172.20.1.10 255.255.255.0

ip nat inside

interface serial 0

ip address 24.106.44.210 255.255.255.252

ip nat outside

ip nat inside source static tcp 172.20.1.10 80 172.20.1.103 80

The only connection that was completed has been to the integrated webserver

in the router. I have about 20 hours into this now and I'm of the opinion

that for whatever reason, what I'm trying to do is not possible.

Thanks again:

Scott

Please post your complete config and take out the public addresses....it's possible to do what you want.

Hi John:

Below is the config.I have to tell you that, honestly, I'm strongly

considering just going back to my Fortinet for this. Port forwarding can be

done reliably in less than 5 minutes.

If you want to have a go at it, I'll do it.

Thanks for your diligence!

S

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco861

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$vwb3$TySirxZ.lm.YbMJNhhMQg1

!

no aaa new-model

memory-size iomem 10

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-3394879082

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3394879082

revocation-check none

rsakeypair TP-self-signed-3394879082

!

!

crypto pki certificate chain TP-self-signed-3394879082

certificate self-signed 01

3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33333934 38373930 3832301E 170D3036 30313032 31323030

34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393438

37393038 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100F2A0 4D17DD07 6C76F385 E6F456EE 141C0F91 CA7C1175 B176CB8C A273E17D

511530C9 850FBDCC 67670E5F 54E05D4F A33A083E 42E819F8 F7B4FD22 3C2C2219

0EF72883 2F767849 7950307A A74D8CFA D44E2D6B D625D237 0C8C8DAF FE8B331D

50EB2945 0187BDDA A56F05D1 9AB8DB22 05DDC74D 889FC0F5 74F6571B 8F5B1013

AE7B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

301F0603 551D2304 18301680 14C27593 1F059686 3996F59E 93DBC11B 0E845AC9

C8301D06 03551D0E 04160414 C275931F 05968639 96F59E93 DBC11B0E 845AC9C8

300D0609 2A864886 F70D0101 04050003 818100DB 0FACA18D E9309BDD E742EA7A

466B4562 945E8B25 9F5AAA74 2BE96A84 56547501 5D7FD1B6 618BFFCB 81001151

3EFE5F89 0C752ECB 541885CD FCCF81E8 863BA75F 0F950D1A C8B631E9 1C77CA99

7CA4C0B1 673DE637 4A953E58 0D11A85D 9CFC91B2 6DEF2E4E 527F1207 56B98BA6

12E0F3CF 6CACE2C1 6CCCB16A 0CDDF155 E10A4A

quit

no ip source-route

!

!

ip dhcp excluded-address 172.20.1.1 172.20.1.239

!

ip dhcp pool ccp-pool1

import all

network 172.20.1.0 255.255.255.0

dns-server 65.24.0.168 4.2.2.2

default-router 172.20.1.10

!

!

ip cef

no ip bootp server

ip name-server 65.24.0.168

ip name-server 4.2.2.2

!

!

license udi pid CISCO861-K9 sn FTX160784JB

!

!

username admin privilege 15 secret 5 $1$0TUG$bh270ROcyZGOINj0Ixisw/

!

!

ip tcp synwait-time 10

!

class-map type inspect match-all sdm-nat-http-1

match access-group 101

match protocol http

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-http-1

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class class-default

drop

policy-map type inspect ccp-permit

class class-default

drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination

in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

!

!

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 0.0.0.3 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 172.20.1.103

no cdp run

!

control-plane

!

banner exec ^C

% Password expiration warning.

John:

I'm seeing that firmware may well be an issue...any thoughts?

Connected by DROID on Verizon Wireless

Scott,

The config that you posted still isn't complete. Without that, I don't know what I'm really helping you with. Are you natting from this device? If so, you're missing the nat config above. I can't say it's a firmware issue because I haven't seen a complete config yet to tell you if it's a problem with the config or if it's something else. Maybe it's the way that it was pasted in, and if that's the case it may be better for you to paste it into a text file and then attach the file to the forum.

John

John:

This was copied "select all" from the CLI.if it's incomplete as well,

perhaps that's a hint of what's wrong in possibly a defective unit. I did

have problems getting the next hop address to "stick" after configuration:

it was fine until I powered the router down, at which time the address

disappeared. Resetting the unit to default seemed to clear the problem.

Scott