. OK. I will try that option tomorrow.

The static nat should work without issues. And if you run a wireshark capture or a debug ip packet or a debug ip nat and you try from internet to access your PUBLIC IP related to your static nat, you'll see something.

Now you're saying that VPN is working but depends on browser used. Some browsers are blocking non trusted certificates and it seems you have a self-signed certificate (non signed and then not trusted).

To test that your nat is working, try accessing your server through RDP or other management protocol. If you don't have any acls, it should work.

Also what is strange is that you said you're accessing ISP and then internet using IP 165.90.243.9, however on your config the IP 165.90.243.10 is configured on your interface.

Is it possible to send the config on WAN interface and nat with real IPs because it's a bit confusing now,

Thanks

My gateway to Internet is 165.90.243.9 while the ip configured on my router interface is 165.90.243.10. I do  to have control over the 165.90.243.9

I can ping 165.90.243.10 from Internet but I can't ping 10.108.13.11. I will run the debug ip NAT as well as wireshark tomorrow.

As for the vpn, am using self signed certificate. I have a Microsoft Active directory certificate services. How can I trust the certificate and install it on the route? This might also be the reason why the vpn anyconnect client on my android phone fails to connect.

I have tried to access the server through a  Web but it fails. Can window firewall block it?

As you're using the .10 IP on your wan interface take another one for your static one to one nat. From internet ping this new IP and it will forward all traffic to your server. 

For trusted certificate you need to pay a service like GoDaddy but before you need to be sure that the issue is the certificate. 

Let's solve the nat issue first

I have observed something. I can ping the ip 165.90.243.13 from the internal host 10.108.13.11.i can't ping the Internet from this internal cos I removed it in the NAT Acl. The public ip 165.90.243.13 is statically mapped to 10.108.13.11. I have attached the wireshark capture which showed no response from 10.108.13.11 as I was trying to ping from Internet

Hello Support LAN,

i have been able to prevent the host 10.108.13.11 from pinging the internet. I recreated the access-list. I have recreated a static NAT with the public ip 165.90.243.13. I can ping this public ip from internet but cant reach 10.108.13.11 I have enabled debug ip nat but could not see the public ip 165.90.243.13. Am only seeing the public ip 165.90.243.10.

However,i  used the wireshark to capture the packets  and   i was able to see 'no response ' from 10.108.13.11. see attached . In addition,this internal host runs on a virtual machine

Sorry I was at work today. 

Could you send back the modified config please?

Where did you took the trace? What is the output of your nat translation?

If you do a traceroute of your public Ip you're using for nat does the traffic arrives to your router?

Hello,

see attached the modified config.i took the trace from internet to the internal host. I  have issued traceroute from internet to 165.90.243.13 (natted publice) but cant find any traffic entering the router

Hi,

I took a look on your config and everything is ok. Your host 10.108.13.11 is natted on a public IP for port 80. But ICMP and other protocols are not allowed.

If you want to do tests, you need to have a static nat without specifying any ports.

Anyway, I don't know if you dropped your full config or not but I've tried from internet to ping your WAN interface and I can't. Maybe you have an acl.

Just to confirm, there isn't any firewall (transparent) between you and your ISP?

If you have acls, you ensured that nothing being blocked by it?

What is your router model?

For your nat translation output I've a concern. It isn't complete but anyhow there's something strange as we don't see the 1st line statement that should show up the static nat like below:

Pro Inside global Inside local Outside local Outside global
tcp 165.90.243.13:80 10.108.13.11:80 --- ---

Can you also give us the exact version you're running?

In your config, it doesn't impact but you can remove extendable keyword on your NAT.

If you want me to help more, we can have a troubleshooting session through a webex or other.

The portion of the config you sent us is ok (for nat, I didn't checked other things that have no impact) and your nat should work.

 Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Hello Francis,

You were not able to ping it because the Internet was shut down at the close of work. I tried troubleshooting yesterday. I was able to view  the output of the NAT that you quoted.

I have noticed something if I remove the key words tcp and extendable,the host 10.108.13.11 will ping the Internet. There is no other acl except the NAT Acl.

I accept that we troubleshoot together. My email is collinks79@gmail.com.i can grant u vpn access or we use Skype or team viewer or Cisco spark

The router model is 2911 while ios version is 15.*

 i have changed the NATTED public ip to b 165.90.243.14. see attached the output which looks like static entry. i have removed the tcp and the host is pinging the internet

Hello,

when I try to open a session to any of your external IP addresses, the only response I get is from 165.90.243.10. Can you try and map the static NAT to this address ?

ip nat inside source static tcp 10.108.13.11 80 165.90.243.10 80 extendable

Hello,

I get the IIS Welcome page now on 165.90.243.14...

ok.i have changed the ip from 165.90.243.14 to 165.90.243.10 (static)

Hello,

I get the IIS login page now with IP address 165.90.243.10...