Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4405
Views
0
Helpful
13
Replies

IOS, 881w, port forwarding/redirecting www

tomws1787
Level 1
Level 1

‎02-11-2010 09:01 AM - edited ‎03-11-2019 10:08 AM

I'm in over my head with this Cisco router we have (881w).  If anyone  has a recommendation for some dummy-level reading, I'd appreciate a link  or title.  Cisco documentation presumes a level of knowledge which I  don't have. 

My specific problem right now is that I'm trying to port  forward/redirect external web access using a specific port to an  internal device using the standard www port 80.  Details:

External IP: 1.2.3.4
External hostname: alpha.example.com
External port: 8888

Internal IP: 192.168.1.2
Internal port: 80

So, I'm trying to hit http://alpha.example.com:8888 from the web and pull  the site from 192.168.1.2.  (Incidentally, the direct IP access works  internally on the LAN with no problems.) 

I've added the following lines to the config.  They are just copies of  sections that work for opening up remote desktop for some users, the  only difference being that I'm using the same port numbers externally  and internally for that (e.g. alpha.example.com:5555 =>  192.168.1.200:5555).

ip port-map user-protocol--6 port tcp 8888 description Lacie-web-access
!...
class-map type inspect match-any Lacie-nat-web-access
 match protocol user-protocol--6
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-6
 match class-map Lacie-nat-web-access
 match access-group name Lacie-web-access
!...
ip access-list extended Lacie-web-access
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.2
!...
ip nat inside source static tcp 192.168.1.2 80 1.2.3.4 8888 extendable

Again, this works for remote desktop with matching port numbers, so I'm  guessing there may be some other http/www traffic restriction that I  don't recognize.  FWIW, I can't reconfigure the internal device's web  port, so I can't test whether the port number mismatch is an issue.

Labels:
0 Helpful
13 Replies 13

tomws1787
Level 1
Level 1

‎02-11-2010 01:52 PM

As a test, I've set up Apache on another internal box and changed the listening port to match the incoming port (so, 8888 => 8888).  After changing the IP in the config to that box (192.168.1.4), I still have the same problem.  Am I correct in assuming this means it's an http traffic rule that's keeping me out?

I also noticed this in the translations list (still using the "new" IP and port for testing) while attemptimg to access the test box:

ant#sh ip nat tr

Pro Inside global         Inside local          Outside local         Outside global

tcp 1.2.3.4:8888   192.168.1.4:8888     192.168.1.102:1366    192.168.1.102:1366

tcp 1.2.3.4:8888   192.168.1.4:8888     ---                   ---

I don't think I specifically mentioned it before, but the browser errors are "connection timed out".

0 Helpful

johnd2310
Level 8
Level 8
In response to tomws1787

‎02-11-2010 03:45 PM

Hi,

Does your external intereface access list allow traffic to 1.2.3.4 port 8888?

Thanks

John

**Please rate posts you find helpful**
0 Helpful

tomws1787
Level 1
Level 1
In response to johnd2310

‎02-11-2010 06:16 PM

Thanks for the response.

No, it wasn't specifically listed, so I did this:

permit tcp any host 192.168.1.4 eq 8888

That worked.  Just for kicks, I tried again with the previous ip permission:

permit ip any host 192.168.1.4

That worked this time.  The difference was that I tested it from outside the network unlike my previous post's issue where I was testing from inside.  Ugh.

I also did a little more testing while I had that much working.  It seems that any port number works as long as the the internal and external ports match.  For example, 8888 works, 8765 works, 8880 works, etc.  That wouldn't be a problem except, as stated in the original post, the actual device I'm trying to get this working for doesn't allow the http port to be modified.  So, I need to be able to redirect a non-standard port to port 80.  Is my problem with how I've handled this line?

ip nat inside source static tcp 192.168.1.4 80 1.2.3.4 8888 extendable

0 Helpful

johnd2310
Level 8
Level 8
In response to tomws1787

‎02-11-2010 07:25 PM

Hi,

That command should work. Please post a scrubbed config of the router.

Thanks

John

**Please rate posts you find helpful**
0 Helpful

tomws1787
Level 1
Level 1
In response to johnd2310

‎02-11-2010 07:44 PM

I've removed the crypto sections and munged a few other fields.  Apologies if this is still too much.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ant
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 *hash*
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
service-module wlan-ap 0 bootimage autonomous
!
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.121 10.0.0.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 1.2.3.10 1.2.3.11
   default-router 192.168.1.1
!
!
ip cef
no ip bootp server
ip domain name eapdd.com
ip name-server 1.2.3.10
ip name-server 1.2.3.11
ip port-map user-protocol--2 port tcp 8833 description RDP-2
ip port-map user-protocol--3 port tcp 8829 description RDP-3
ip port-map user-protocol--1 port tcp 8832 description RDP-1
ip port-map user-protocol--6 port tcp 8888 description Lacie-web-access
ip port-map user-protocol--4 port tcp 8830 description RDP-4
ip port-map user-protocol--5 port tcp 8828 description SSH-Fileserver
!
no ipv6 cef
!
multilink bundle-name authenticated

!
!
username myadmin privilege 15 secret 5 *hash*
!
!

!
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ftp username cisco881w
ip ftp password 7 *hash*
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any Lacie-nat-web-access
match protocol user-protocol--6
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-6
match class-map Lacie-nat-web-access
match access-group name Lacie-web-access
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any SSH-nat-Fileserver
match protocol user-protocol--5
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-4
match class-map SSH-nat-Fileserver
match access-group name SSH-Fileserver
class-map type inspect imap match-any ccp-app-imap
match  invalid-command
class-map type inspect match-any RDP-nat-4
match protocol user-protocol--4
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-3
match class-map RDP-nat-4
match access-group name RDP-4
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any RDP-nat-3
match protocol user-protocol--3
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-2
match class-map RDP-nat-3
match access-group name RDP-3
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any RDP-nat-2
match protocol user-protocol--2
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map RDP-nat-2
match access-group name RDP-2
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any MySymantec
match access-group name MySymantec
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match  file-transfer
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match  service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match  service any
class-map type inspect match-any MY-TFTP
match protocol tftp
class-map type inspect match-all sdm-cls-ccp-inspect-1
match class-map MY-TFTP
match access-group name internal-tftp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match  service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect pop3 match-any ccp-app-pop3
match  invalid-command
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match  file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect msnmsgr match-any ccp-app-msn
match  service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match  service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match  request method bcopy
match  request method bdelete
match  request method bmove
match  request method bpropfind
match  request method bproppatch
match  request method connect
match  request method copy
match  request method delete
match  request method edit
match  request method getattribute
match  request method getattributenames
match  request method getproperties
match  request method index
match  request method lock
match  request method mkcol
match  request method mkdir
match  request method move
match  request method notify
match  request method options
match  request method poll
match  request method propfind
match  request method proppatch
match  request method put
match  request method revadd
match  request method revlabel
match  request method revlog
match  request method revnum
match  request method save
match  request method search
match  request method setattribute
match  request method startrev
match  request method stoprev
match  request method subscribe
match  request method trace
match  request method unedit
match  request method unlock
match  request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match  file-transfer
match  text-chat
match  search-file-name
class-map type inspect http match-any ccp-http-blockparam
match  request port-misuse im
match  request port-misuse p2p
match  req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match  file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match  service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match  search-file-name
match  text-chat
class-map type inspect http match-any ccp-http-allowparam
match  request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect fasttrack match-any ccp-app-fasttrack
match  file-transfer
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
  log
  allow
class type inspect edonkey ccp-app-edonkeydownload
  log
  allow
class type inspect fasttrack ccp-app-fasttrack
  log
  allow
class type inspect gnutella ccp-app-gnutella
  log
  allow
class type inspect kazaa2 ccp-app-kazaa2
  log
  allow
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  inspect
class type inspect sdm-nat-user-protocol--1-1
  inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-3
  inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2
  inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-4
  inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-6
  inspect
class class-default
  drop
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
  log
  allow
class type inspect msnmsgr ccp-app-msn
  log
  allow
class type inspect ymsgr ccp-app-yahoo
  log
  allow
class type inspect aol ccp-app-aol-otherservices
  log
  reset
class type inspect msnmsgr ccp-app-msn-otherservices
  log
  reset
class type inspect ymsgr ccp-app-yahoo-otherservices
  log
  reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
  log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
  log
policy-map type inspect ccp-inspect
class type inspect sdm-cls-ccp-inspect-1
  inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-protocol-imap
  inspect
  service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
  inspect
  service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
  inspect
  service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
  inspect
  service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
  inspect
class type inspect CCP-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
  log
  reset
class type inspect http ccp-app-httpmethods
  log
  reset
class type inspect http ccp-http-allowparam
  log
  allow
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
  pass
class class-default
  drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
  pass
class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface Loopback0
ip address 192.168.8.1 255.255.255.0
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 1.2.3.4 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
snmp trap ip verify drop-rate
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group Port25Blocker out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan2
no ip address
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 192.168.1.81 192.168.1.89
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 64.233.136.113
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 20
sort-by bytes
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.111 8828 1.2.3.4 8828 extendable
ip nat inside source static tcp 192.168.1.101 8829 1.2.3.4 8829 extendable
ip nat inside source static tcp 192.168.1.102 8830 1.2.3.4 8830 extendable
ip nat inside source static tcp 192.168.1.105 8832 1.2.3.4 8832 extendable
ip nat inside source static tcp 192.168.1.106 8833 1.2.3.4 8833 extendable
ip nat inside source static tcp 192.168.1.4 80 1.2.3.4 8888 extendable
!
ip access-list extended Lacie-web-access
remark Allow web access to Lacie device
remark CCP_ACL Category=128
permit ip any host 192.168.1.4
permit tcp any host 192.168.1.4 eq 8888
ip access-list extended MySymantec
remark 20090902 Opening for SymantecAV. Manually cloned from SDM_SSH.
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 8014
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 8443
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 9090
ip access-list extended Port25Blocker
remark Block smtp to prevent virus spamming.
remark CCP_ACL Category=1
deny   tcp any any eq smtp log
permit ip any any
ip access-list extended RDP-2
remark CCP_ACL Category=128
permit ip any host 192.168.1.106
ip access-list extended RDP-3
remark CCP_ACL Category=128
permit ip any host 192.168.1.101
ip access-list extended RDP-4
remark CCP_ACL Category=128
permit ip any host 192.168.1.102
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SSH-Fileserver
remark CCP_ACL Category=128
permit ip any host 192.168.1.111
ip access-list extended internal-tftp
remark CCP_ACL Category=128
permit ip host 192.168.1.1 host 192.168.1.102
permit ip host 192.168.5.1 host 192.168.1.102
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 100 permit ip 1.2.3.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.105
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty * *
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

0 Helpful

johnd2310
Level 8
Level 8
In response to tomws1787

‎02-11-2010 08:05 PM

Hi,


Have you tried changing "ip nat inside source static tcp 192.168.1.4 80 1.2.3.4 8888 extendable" to "ip nat inside source static tcp 192.168.1.4 80 FastEthernet4 8888"

**Please rate posts you find helpful**
0 Helpful

tomws1787
Level 1
Level 1
In response to johnd2310

‎02-11-2010 08:22 PM

I just tried that, and I've also previous tried

ip nat inside source static tcp 192.168.1.4 80 64.233.136.114 8888

ip nat inside source static tcp 192.168.1.4 80 interface FastEthernet4 8888 extendable

ip nat inside source static tcp 192.168.1.4 80 interface FastEthernet4 8888

and now

ip nat inside source static tcp 192.168.1.4 80 FastEthernet4 8888

ip nat inside source static tcp 192.168.1.4 80 FastEthernet4 8888 extendable

But for all of them, the conf replace tftp always dies and rolls back, failing to load that single line.  I saw that format used on some of the places I've been reading, but mine doesn't like it for some reason.  I've even tried removing just the "extendable", but it still fails to load (again, through the conf replace tftp process).

0 Helpful

johnd2310
Level 8
Level 8
In response to tomws1787

‎02-11-2010 09:39 PM

Hi,

You should be able to delete from the command line.

no ip nat inside source static tcp 192.168.1.4 80 64.233.136.114 8888

**Please rate posts you find helpful**
0 Helpful

tomws1787
Level 1
Level 1
In response to johnd2310

‎02-12-2010 06:26 AM

Ok, doing it from the CLI does allow me to remove and add the lines.  So now it has:

ip nat inside source static tcp 192.168.1.4 80 interface FastEthernet4 8888

However, it still doesn't work for the redirection 8888 => 80.  But it does still work when the same port number is used on both sides 8888 => 8888.

0 Helpful

tomws1787
Level 1
Level 1

‎02-13-2010 07:17 AM

I'm still getting the same behavior.  Does anyone have any suggestions for resolving this?

0 Helpful

tomws1787
Level 1
Level 1
In response to tomws1787

‎02-15-2010 07:49 AM

If no one has suggestions for fixing this, are there any recommendations for forums (or anywhere else) that may be able to help?  Maybe I've misunderstood the purpose of this forum.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to tomws1787

‎02-15-2010 10:10 AM

"However, it still doesn't work for the redirection 8888 => 80.  But it does still work when the same port number is used on both sides 8888 => 8888."

If someone is coming from the outside hitting port 8888 and that is sent to your internal server on the same port and it works then port forwarding works.

If it still breaks when you use port 80 to translate 8888 then I could guess that the internal sevrer does not work or listen on port 80. I would assume that portforwarding does not selectively forward port 8888 to 8888 correctly and 8888 to 80 incorrectly.

This forum like any other forum is best effort, I would suggest opening a case with TAC if there are issues the forum cannot address.

PK

0 Helpful

tomws1787
Level 1
Level 1
In response to Panos Kampanakis

‎02-15-2010 10:24 AM

Thanks for your response.

I can confirm that the test web server does indeed work when configured for port 80 - from inside the network when using the internal IP directly.  Same for any port I've used for testing.  A little more testing seems to show that any "cross-port" forward/redirect does not work, though.  For example, 8888 => 8765 fails the same as 8888 => 80.

I've found a link for opening a case, so I'll try that route.  Will update here with whatever information I receive.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card