port forwarding on Cisco 1941 8080 not working

Unanswered Question
Feb 13th, 2017
User Badges:

Dears, I am trying to publish a internal portal for external access. The portal runs on port 80 internally and wanted to confugure this on port 8080 for external access. All port forwarding is configured on firewall and router. But for some reason port 8080 is not working. But when I change the port to 8085 or 443 it works. Not sure why only port 8080 is not working. Please find below configuration for your reference. I have contacted ISP and they insist that port 8080 is not blocked at their end. Any help would be greatly appreciated.



*********************************************************

interface Loopback100
ip address 2.2.2.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.40.50.5 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 10 ip 10.40.50.4
standby 10 priority 120
standby 10 preempt
standby 10 track 1 decrement 60
ip policy route-map xxxx
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 5
no mop enabled
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Dialer0
ip ddns update hostname xxxxxxxx.redirectme.net
ip ddns update DDNSUPDATE host xxxxxxxx.redirectme.net
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 5
dialer remote-name xxxxx
dialer idle-timeout 10
dialer-group 10
ppp pap sent-username xxxxx password 7 xxxxxx

router ospf 1
router-id 1.1.1.1
redistribute static subnets route-map VPN-OSPF-NETWORK
passive-interface GigabitEthernet0/1
network 10.40.50.5 0.0.0.0 area 0
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat translation tcp-timeout 120
ip nat pool xxxxx 1.1.1.1 1.1.1.254 netmask 255.255.255.0
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static udp 10.40.50.1 500 interface Dialer0 500
ip nat inside source static udp 10.40.50.1 4500 interface Dialer0 4500
ip nat inside source static tcp 10.40.50.50 80 interface Dialer0 8080
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT
permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
!
access-list 10 permit 192.168.250.8 0.0.0.3
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
access-list 110 permit ip 192.168.26.0 0.0.0.255 any
access-list 110 permit ip 192.168.36.0 0.0.1.255 any
access-list 110 permit ip 192.168.30.0 0.0.0.255 any
access-list 120 deny ip host 10.40.50.3 192.168.250.8 0.0.0.3
access-list 120 deny ip host 10.40.50.1 192.168.250.8 0.0.0.3
access-list 120 deny ip host 10.40.50.10 192.168.250.8 0.0.0.3
access-list 120 deny ip host 10.40.50.5 192.168.250.8 0.0.0.3
access-list 120 deny ip host 10.40.50.5 192.168.250.12 0.0.0.3
access-list 120 deny ip host 10.40.50.9 192.168.250.8 0.0.0.3
access-list 120 deny ip 10.40.50.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 120 deny ip 10.40.28.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 120 deny ip 10.40.1.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 120 deny ip host 10.40.50.20 192.168.250.8 0.0.0.3
access-list 120 permit ip 192.168.26.0 0.0.0.255 any
access-list 120 permit ip 192.168.20.0 0.0.0.255 any
access-list 120 permit ip 192.168.22.0 0.0.0.255 any
access-list 120 permit ip 10.40.50.0 0.0.0.255 any
access-list 120 permit ip 192.168.100.0 0.0.0.255 any
access-list 120 permit ip 192.168.32.0 0.0.0.255 any
access-list 120 permit ip 192.168.36.0 0.0.3.255 any
access-list 120 permit ip 192.168.30.0 0.0.0.255 any
dialer-list 10 protocol ip permit
!
route-map xxxx permit 10
match ip address 110
set ip next-hop 10.40.50.3
!
route-map VPN-OSPF-NETWORK permit 10
match ip address 10
!
route-map NAT permit 10
match ip address NAT




Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Georg Pauwen Mon, 02/13/2017 - 23:47
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,

what is the output of 'show ip nat translations' ? Can you post that ?

mrehman02 Mon, 02/13/2017 - 23:56
User Badges:

tcp X.X.X.X:443 10.40.50.50:80 --- ---
tcp X.X.X.X:8080 10.40.50.50:8080 --- ---
tcp X.X.X.X:53799 10.40.50.50:53799 77.234.44.24:80 77.234.44.24:80
tcp X.X.X.X:56677 10.40.50.50:56677 159.122.90.116:5938 159.122.90.116:5938


The page works fine on port 443 forwarded to 80. But 8080 forwarded to 80 or 8080 not working.

Georg Pauwen Tue, 02/14/2017 - 00:16
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,

you have entries for two public IP addresses in your NAT translation table:

77.234.44.24

and

159.122.90.116

Clear the translation table by first removing the static NAT entry:

no ip nat inside source static tcp 10.40.50.50 80 interface Dialer0 8080

and then issue the exec command:

clear ip nat translations *

If that doesn't work, try to change the NAT entry to:

ip nat inside source static tcp 10.40.50.50 80 x.x.x.x 8080 extendable

where x.x.x.x is the public IP address assigned to your router.

mrehman02 Tue, 02/14/2017 - 01:05
User Badges:

Thanks, But unfortunately it didnt work . I doubt the ISP is blocking the port 8080. Because other ports works fine.

Georg Pauwen Tue, 02/14/2017 - 01:15
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Stupid question maybe, but what are you trying to accomplish ? With your current config, external users connect on port 8080 and get redirected to 80.

What happens if you reverse the ports :

ip nat inside source static tcp 10.40.50.50 8080 interface Dialer0 80

mrehman02 Tue, 02/14/2017 - 01:27
User Badges:

I have a intranet page on DMZ which is 10.40.50.50:80 . I wanted people to access this from outside the network so that when they type x.x.x.x:8080 it should reach 10.40.50.50:80. 

When I configure x.x.x.x:443 to 10.40.50.50:80 it works.

But when I configure x.x.x.x:8080 to 10.40.50.50:80 it doesnt.

Georg Pauwen Tue, 02/14/2017 - 01:30
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,

can you access the webpage on port 8080 from an internal host ? I am just asking to make sure the web server itself is not blocking (or not forwarding) 8080...

Georg Pauwen Tue, 02/14/2017 - 01:53
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,

when I type:

http://77.234.44.24:80

I get this website:

Avast! Streaming updates server

For history of virus database updates visit Avast! support page.

Is that the website you want to have access to from the outside ?

Also, does:

ip nat inside source static tcp 10.40.50.50 8080 interface Dialer0 8080

work ?

mrehman02 Tue, 02/14/2017 - 02:14
User Badges:

http://77.234.44.24/ that is not my ip address. I googled it and found its avast's IP. 

Mine should be a IIS start page upon typing the IP. 


ip nat inside source static tcp 10.40.50.50 8080 interface Dialer0 8080 

also not working. I has to be the ISP then what do you think?

Georg Pauwen Tue, 02/14/2017 - 03:59
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,

my guess is that Avast Antivirus is running somewhere on your network, and it is blocking port 8080. Can you find out which machine it is running on, and temporarily turn it off ?

mrehman02 Tue, 02/14/2017 - 04:16
User Badges:

We have avast running in our network. Let me see how it is blockig 8080. Not sure where to look though. Thanks.

Georg Pauwen Tue, 02/14/2017 - 04:27
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello, 

I am not sure which version of Avast you are running, but look for the following:

"Settings" -> "Troubleshooting" -> "Redirect Settings" -> "Web".

Remove 8080 from the "HTTP Port(s)" list

Georg Pauwen Tue, 02/14/2017 - 01:30
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,

can you access the webpage on port 8080 from an internal host ? I am just asking to make sure the web server itself is not blocking (or not forwarding) 8080...

Actions

This Discussion