Unable to forward port 443 using Static NAT

Unanswered Question
Nov 11th, 2013
User Badges:

Hi there,


Thanks in advance for your assistance.


I have configured Static NAT to forward port 443 to 192.168.0.3 internal IP address as follow:


ip nat inside source static tcp 192.168.0.3 443 interface Dialer1 443


I am only getting "Page Not Found" when I try to access it over 443 (internally and externally). I have also checked online port forward tester that port 443 is closed. I don't have any issue accessing server on 443 internally.


P.S. I am not Cisco extert and this router has been configured by previous IT guys so I might not know everything configured in this config.


Please see following config:


INTGATEWAY#sh conf

Using 6037 out of 262136 bytes

!

! Last configuration change at 15:46:10 Sydney Tue Aug 6 2013 by admin.cisco

! NVRAM config last updated at 16:13:31 Sydney Tue Aug 6 2013 by admin.cisco

! NVRAM config last updated at 16:13:31 Sydney Tue Aug 6 2013 by admin.cisco

version 15.1

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

!

hostname INTGATEWAY

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

enable secret 5 Secret...Shhhh....

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp V_USERS group radius

aaa authorization network V_USERS group radius

!

!

!

!

!

aaa session-id common

!

clock timezone Sydney 10 0

clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

no ip domain lookup

ip domain name domain.com.au

ip name-server 203.12.160.35

ip name-server 203.12.160.36

ip inspect max-incomplete high 800

ip inspect max-incomplete low 600

ip inspect name FIREWALL ftp

ip inspect name FIREWALL h323

ip inspect name FIREWALL netshow

ip inspect name FIREWALL rcmd

ip inspect name FIREWALL realaudio

ip inspect name FIREWALL rtsp

ip inspect name FIREWALL smtp

ip inspect name FIREWALL sqlnet

ip inspect name FIREWALL streamworks

ip inspect name FIREWALL tftp

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL vdolive

ip inspect name FIREWALL icmp

ip inspect name FIREWALL isakmp

ip inspect name FIREWALL ipsec-msft

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group COMPANY_VPN

! Default L2TP VPDN group

accept-dialin

  protocol l2tp

  virtual-template 1

no l2tp tunnel authentication

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-4155725390

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4155725390

revocation-check none

rsakeypair TP-self-signed-4155725390

!

!

crypto pki certificate chain TP-self-signed-4155725390

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

license udi pid CISCO1921/K9 sn FGL153820V4

!

!

username administrator privilege 15 password 7 Administrator_Password

username admin.cisco privilege 15 password 7 Cisco_Admin_Password

!

redundancy

!

!

!

!

no ip ftp passive

ip ssh time-out 60

ip ssh port 2222 rotary 1

ip ssh version 2

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key PreSharedKey address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set VPN esp-3des esp-sha-hmac

mode transport

!

crypto dynamic-map VPN-map 10

set nat demux

set transform-set VPN

reverse-route

!

!

crypto map VPN 10 ipsec-isakmp dynamic VPN-map

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description COMPANY LAN

ip address 192.168.0.253 255.255.255.0

ip nat inside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

!

interface GigabitEthernet0/1

description TPG INTERNET EFM SERVICE

no ip address

ip access-group OUTSIDE_IN in

load-interval 30

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly in

peer default ip address dhcp

ppp encrypt mppe auto

ppp authentication ms-chap-v2 V_USERS

ppp authorization V_USERS

!

interface Dialer1

mtu 1492

ip address negotiated

ip nat outside

ip inspect FIREWALL out

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp pap sent-username [email protected] password 7 iNTERNET_PASSWORD

crypto map VPN

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list NAT interface Dialer1 overload

ip nat inside source static tcp 192.168.0.2 80 interface Dialer1 80

ip nat inside source static tcp 192.168.0.3 443 interface Dialer1 443

ip nat inside source static tcp 192.168.0.2 25 interface Dialer1 25

ip nat inside source static tcp 192.168.0.2 22 interface Dialer1 22

ip nat inside source static tcp 192.168.0.1 1723 interface Dialer1 1723

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.1.0 255.255.255.0 192.168.0.254

ip route 192.168.30.0 255.255.255.0 192.168.0.254

!

ip access-list extended DEBUG

permit tcp any any eq 1723 log

ip access-list extended NAT

permit ip 192.168.0.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.30.0 0.0.0.255 any

ip access-list extended OUTSIDE_IN

remark CCP_ACL Category=17

permit udp any any eq non500-isakmp

permit esp any any

permit gre any any

permit udp any any eq isakmp log

permit tcp any any eq 1723 log

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq smtp

permit icmp any any

permit tcp any any eq 3389

permit tcp any any eq 22

ip access-list extended SPLIT-TUNNEL

permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

!

access-list 22 remark CCP_ACL Category=16

access-list 22 permit 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

!

!

!

!

!

snmp-server community kpublic911 RO 22

!

radius server WINDOWS_VPNSERVER

address ipv4 192.168.0.2 auth-port 1812 acct-port 1813

key 7 SharedKey

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 30 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

logging synchronous

rotary 1

transport input telnet ssh

line vty 5 15

logging synchronous

transport input all

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 192.189.54.33

ntp server 150.101.221.106

ntp server 27.50.91.108

end



INTGATEWAY#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Islam Nadim Tue, 11/12/2013 - 23:08
User Badges:

Did you find any issues in the logs?

Is the IP Address Correct?

Is the Static NAT shown in the NAT Translation? (show ip nat translations)


Can you share the outputs for the above?

Actions

This Discussion

Related Content