Hello This helped with the redirection but i allowed the https port, So :

ip http secure-server

ip http port <0-65535>

The web ui is now only reachable from the assigned https port,

I'm still unable to reach my site from the outside of my network and i,m investigating my DNS settings.

Cheers.

Hello,

Thanks for all the pointers, They are really helping, See below my present configuration, In the NAT section I was advised by CISCO TAC to use the Int g0/0/0 for as using the external IP was leading to the configuration being dropped after a restart,

sh run
Building configuration...

Current configuration : 9731 bytes
!
! Last configuration change at 22:23:11 UTC Fri Mar 3 2023
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CASS01
!
boot-start-marker
boot system flash bootflash:/mydir/packages.conf
boot-end-marker
!
!
enable secret 9 $9$QbeiaP7uT84GAk$pxttNYvOD78X3yt2Q7smpgXtUuokxQJbIiwa.r64Ecc
enable password C455C455!
!
no aaa new-model
!
!
!
!
!
!
!
ip name-server 192.168.10.12 192.168.10.11
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.10.0 192.168.10.49
ip dhcp excluded-address 192.168.10.237 192.168.10.255
!
ip dhcp pool CASS0
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.11 192.168.10.12
lease infinite
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-40497760
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-40497760
revocation-check none
rsakeypair TP-self-signed-40497760
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-40497760
certificate self-signed 01
3082032C 30820214 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69
quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
no license feature hseck9
license udi pid C1111-8P sn FGL2550L9PL
license boot level securityk9
license smart reservation
license smart transport off
memory free low-watermark processor 70177
!
!
!
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username privilege 15 password 0
username webui privilege 15 secret 9 $9$9gLYRhRTayB2pk$23jT5bDQE.LsGq6UmZ6G3vXLI4SXWqOJT5Vmi3HGwjM
username Admin privilege 15 secret 9 $9$zIiJFZ1IhVhHw.$0.Dw3zOfHhAE2NngtLtxRuoKvwq1fPiaJZPB5umrTLg
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
track 8 ip sla 1 reachability
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.0.0.1 255.255.255.0
!
interface GigabitEthernet0/0/0
description Shaw Internet connection
ip address 184.71.204.250 255.255.255.252
ip nat outside
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/0/1
description Internal network
ip address dhcp
ip access-group LANACL in
ip access-group 2 out
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/1/1
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/1/2
description internal network
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/1/3
description internal network
switchport access vlan 5
switchport mode access
vlan-id dot1q 5
!
!
interface GigabitEthernet0/1/4
description internal network
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/1/5
description internal network
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/1/6
description interna
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/1/7
switchport access vlan 10
!
interface Vlan1
no ip address
!
interface Vlan5
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4443
ip http secure-trustpoint TP-self-signed-40497760
ip forward-protocol nd
ip nat inside source static tcp 192.168.10.241 80 interface GigabitEthernet0/0/0 5000
ip nat inside source static udp 192.168.10.14 1195 interface GigabitEthernet0/0/0 1195
ip nat inside source static tcp 192.168.10.14 1194 interface GigabitEthernet0/0/0 1194
ip nat inside source static tcp 192.168.10.14 1192 interface GigabitEthernet0/0/0 1192
ip nat inside source static udp 192.168.10.14 47 interface GigabitEthernet0/0/0 47
ip nat inside source static tcp 192.168.10.14 443 interface GigabitEthernet0/0/0 47
ip nat inside source static tcp 192.168.10.104 433 interface GigabitEthernet0/0/0 433
ip nat inside source static tcp 192.168.10.104 80 interface GigabitEthernet0/0/0 80
ip nat inside source list LANACL interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 184.71.204.249 track 8
ip route 0.0.0.0 0.0.0.0 184.71.204.249
ip route 0.0.0.0 0.0.0.0 206.75.163.41 10
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 110
ip route 172.16.1.0 255.255.255.0 172.16.1.1
!
!
ip access-list extended FILTER
10 permit ip any any
ip access-list extended LANACL
10 permit ip 192.168.10.0 0.0.0.255 any
20 permit ip 192.168.50.0 0.0.0.255 any
30 permit ip 192.168.30.0 0.0.0.255 any
40 permit ip 172.16.1.0 0.0.0.255 any
ip access-list extended TAC
10 permit ip host 192.168.10.64 any
20 permit ip any host 192.168.10.64
!
ip sla 1
icmp-echo 184.71.204.249 source-ip 184.71.204.250
ip sla schedule 1 life forever start-time now
ip access-list standard 2
10 permit 192.168.10.1
ip access-list extended 101
10 permit ip 192.168.10.0 0.0.0.255 any
20 permit ip any 192.168.10.0 0.0.0.255
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
snmp-server community public RO
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
password
login
length 0
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end

Let me know if anything seem off, Again thank you for all the help.

Best Regards.

The IP address for the internal webserver is 192.168.10.104 , I thought the NAT entries:

ip nat inside source static tcp 192.168.10.104 433 interface GigabitEthernet0/0/0 433
ip nat inside source static tcp 192.168.10.104 80 interface GigabitEthernet0/0/0 80

Would let users access this over HTTPS and HTTP ports, But I am no longer hitting the Webui with the corections you sugessted.

I am however now being redirected to 192.168.10.14 with the error

"forbiden you don't have the permission to access / on this server HTTP server at 192.168.10.14 when I try to access my 192.168.10.104 webserver from outside the local network"

I will be looking into my Apache2 DNS settings and confirm if thats the issue( unlikely as HTTPS access to the site is possible from within the network)

I believe the IP routes are for my partially configured secondary/ failover ISP network and the presently active main ISP.

192.168.10.14 is my VPN server and is listening on all the forwarded ports.

Thanks.