Cisco 851 Config help

>...realized that I can telnet into it externally. Is that because of the "ip http server"?
   No - "http" is web access, not telnet.  Your ACL 101 was allowing *all* IP traffic inbound from the Internet, which includes allowing inbound telnet.
    When unfamiliar with Cisco configs & especially when modifying ACLs (access lists), you should make your changes when you're physically at the router, with console access to it.
    Getting console access to the router (instructions for an 1800 series, but basic steps apply):
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/1800/hw/18cable.htm#wp36501
    Or just telnet from the inside to your router.

Run these commands *in this order*:
------------------------------------------
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND udp

  (line below assumes you want to block incoming traffic from 208.33.154.64 subnet):
access-list 199 deny ip 208.33.154.64 0.0.0.63 any
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any unreachable
access-list 199 permit tcp any host 208.33.154.71 eq 80
  (add line below if you want HTTPS access to router from outside - SDM access?):
access-list 199 permit tcp any host 208.33.154.71 eq 443
  (add line below IF you want to allow telnet from outside - NOT recommended):
access-list 199 permit tcp any host 208.33.154.71 eq 23

interface FastEthernet4
 no ip access-group 101 in
 no ip inspect sdm_ins_in_100 in
 no ip inspect newrule out
 ip access-group 199 in
 ip inspect OUTBOUND out
exit

no ip inspect name newrule
no ip inspect name sdm_ins_in_100

interface Vlan1
 no ip access-group 100 in  <- don't need an ACL on inside interface
exit

no access-list 100
no access-list 101

  (clear the NAT table, to ensure your static NAT entry for the web server has taken effect;
   NOTE: this will interrupt all connections in/out through your router):
clear ip nat trans *

Notes on what the above does for you:
- allows external access to web server via public IP of outside interface
- allows outbound traffic for internal hosts
- enables firewalling on outside interface to protect inside hosts
- outbound pings will work
- router will not respond to pings to outside interface

Always run "clear ip nat trans * "  _before_ adding/modifying any NAT/static NAT entries.
Once you're satisfied that things work as you like, then do "copy run start" to save config changes.

cheers

Great, I'll give it a try. I do want to allow telnet from outside temporarily. What is the proper command to turn it off when I no longer need it? Thanks

clear ip nat trans *

Is not recognized - I get an invalid iput detected at the E in clear.

Here is the config now:

Using 3255 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$jJe/$ovtFpR1hDWAMCAYDcIpB10
!
username ciscotac privilege 15 password 0 cisco123
username fede privilege 15 secret 5 $1$LhYt$curu1muQj/JnmfQwW/hzc0
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.1.2
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 204.117.214.10 199.2.252.10
   default-router 192.168.1.2
!
!
ip cef
ip inspect name newrule tcp timeout 3600
ip inspect name newrule http timeout 3600
ip inspect name sdm_ins_in_100 tcp timeout 3600
ip rcmd rcp-enable
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 208.33.154.71 255.255.255.192
 ip access-group 101 in
 ip verify unicast reverse-path
 ip inspect sdm_ins_in_100 in
 ip inspect newrule out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.2 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.33.154.65
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.250 80 interface FastEthernet4 80
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 208.33.154.64 0.0.0.63 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any eq www host 192.168.1.250 eq www
access-list 101 permit icmp any host 208.33.154.71 echo-reply
access-list 101 permit icmp any host 208.33.154.71 time-exceeded
access-list 101 permit icmp any host 208.33.154.71 unreachable
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip host 0.0.0.0 any
access-list 101 permit ip any any log
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 password cisco
 login authentication local
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

Sorry, wrong config posted above. Here is the correct one:

Using 2408 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$jJe/$ovtFpR1hDWAMCAYDcIpB10
!
username xxxxxxxx privilege 15 password 0 cisco123
username xxxxxxx privilege 15 secret 5 $1$LhYt$curu1muQj/JnmfQwW/hzc0
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.1.2
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 204.117.214.10 199.2.252.10
   default-router 192.168.1.2
!
!
ip cef
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND udp
ip rcmd rcp-enable
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 208.33.154.71 255.255.255.192
 ip access-group 199 in
 ip verify unicast reverse-path
 ip inspect OUTBOUND out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.33.154.65
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.250 80 interface FastEthernet4 80
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 199 deny   ip 208.33.154.64 0.0.0.63 any
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any unreachable
access-list 199 permit tcp any host 208.33.154.71 eq www
access-list 199 permit tcp any host 208.33.154.71 eq telnet
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 password cisco
 login authentication local
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

I think that you were correct, "ip http server" should be changed to "no ip http server" because the router is responding directly to those requests. You might even need to turn off http secure server, at least to test.

Exactly right mike - router needs to *not* respond to port 80 requests, since the static nat is using the router's interface IP.

OK I removed the "ip http server" and saved the config. Still nothing when I type 208.33.154.71 into my browser... it times out.

I am able to type the IP into a browser locally and get the web site.

I haven't been able to get the command, "clear ip nat trans * " to work. That wouldn't effect anything would it?

I believe that trying to get to the web server via the router's outside address and NAT will never work- this question has come up before many times. You need to try it from a remote site- have a friend try it from their desk at another company or try it from home tonight.

Try "clear ip nat trans ?" to see what the options are in your IOS. Even if you don't need it for this, you need to be able to do it.

>Still nothing when I type 208.33.154.71 into my browser...
  This won't work if you're trying from a PC behind the same router, on the same LAN as the internal server. As mike said, you'll need to test from a PC at an external location outside your router for this to be a valid test.

The command: clear ip nat trans *  (note the asterisk) won't work if you're in config mode.  You must be in plain old "priviledged mode", ie:
  router# clear ip nat trans *
  router(config)#  <-- won't work in config mode

BTW, the asterisk tells the router to clear all NAT entries, all protocols, etc.
cheers

When typing the IP address from an external pc, it times out.

OK. First, remove "ip inspect OUTBOUND out" from FastEthernet4. There's no need to control outbound traffic unless you have specific services you want to deny your users.

Also, though it shouldn't affect this problem, these lines in your access list are highly questonable:

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any eq www host 192.168.1.250 eq www

access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip host 0.0.0.0 any

The only reason anything works is because of the last line. The first 2 are useless because you are allowing traffic to a private address from the outside, but NAT changes it. The rest are all networks that should be DENIED, not allowed.

Once this is working you should read up on ip inspect and configure your inbound inspect list so that it will permit the required traffic.

>OK. First, remove "ip inspect OUTBOUND out" from FastEthernet4. There's no need to control outbound traffic...
  hi Mike... Ah, actually he'll want ip inspection for outbound traffic on the WAN interface, since he's trying to use CBAC.  Else he'd have to use "ip inspect OUTBOUND in" on the LAN interface.

comtekso, you still haven't disabled the http server on the router, as Mike pointed out before.  Run this before testing access to the web server again:
  no ip http server

cheers all

" no ip http server " is in there in the vlan section:

interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 208.33.154.71 255.255.255.192
 ip access-group 199 in
 ip verify unicast reverse-path
 ip inspect OUTBOUND out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.33.154.65
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.250 80 interface FastEthernet4 80
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 199 deny   ip 208.33.154.64 0.0.0.63 any
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any unreachable
access-list 199 permit tcp any host 208.33.154.71 eq www
access-list 199 permit tcp any host 208.33.154.71 eq telnet
!
control-plane

Oh, yeh :-)

comtekso, please temporarily remove your access lists and have someone try it from outside. If it doesn't work, turn on NAT debugging

term mon (not needed if you're on the router console)
debug ip nat

That should give us a lot of info to see why it isn't working. and if it is, then we know the problem is your access control.

I am working on it from an external site. It is still timing out after removing the access-list. I turned on the debug ip nat, how do get the info?

Also, before I started making changes I was able to type in the external IP into a browser when I was on the LAN and get the web site, but now I can't.

Thanks for the help so far.

Here is what I have now:

interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 208.33.154.71 255.255.255.192
 ip access-group 199 in
 ip verify unicast reverse-path
 ip inspect OUTBOUND out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.33.154.65
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.250 80 interface FastEthernet4 80
!
!
control-plane

OK, I have entered the above commands. I am still not able to access the web server externally. I can access the router via telnet. How can I tell what the router is doing with the requests? I double checked the local IP address of the web server, I can enter it locally and access the web server. Would it help to setup a Remote Desktop Connection to another computer on the LAN to see if I can gain access to it? Here is the current running  config:

Using 2401 out of 131072 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$jJe/$ovtFpR1hDWAMCAYDcIpB10

!

username xxxxxxx privilege 15 password 0 cisco123

username xxxxxxxx privilege 15 secret 5 $1$LhYt$curu1muQj/JnmfQwW/hzc0

aaa new-model

!

!

aaa authentication login default local

aaa authentication login local local

aaa session-id common

ip subnet-zero

ip dhcp excluded-address 192.168.1.2

!

ip dhcp pool sdm-pool1

import all

network 192.168.1.0 255.255.255.0

dns-server 204.117.214.10 199.2.252.10

default-router 192.168.1.2

!

!

ip cef

ip inspect name OUTBOUND tcp

ip inspect name OUTBOUND ftp

ip inspect name OUTBOUND udp

ip rcmd rcp-enable

no ftp-server write-enable

!

!

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description $ETH-WAN$$FW_OUTSIDE$

ip address 208.33.154.71 255.255.255.192

ip access-group 199 in

ip verify unicast reverse-path

ip inspect OUTBOUND out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.2 255.255.255.0

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 208.33.154.65

!

no ip http server

ip http authentication local

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.250 80 interface FastEthernet4 80

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip host 0.0.0.0 any

access-list 199 permit icmp any any echo-reply

access-list 199 permit icmp any any time-exceeded

access-list 199 permit icmp any any unreachable

access-list 199 permit tcp any host 208.33.154.71 eq www

access-list 199 permit tcp any host 208.33.154.71 eq telnet

!

control-plane

!

!

line con 0

no modem enable

transport preferred all

transport output all

line aux 0

transport preferred all

transport output all

line vty 0 4

privilege level 15

passwordxxxxxxxxx

login authentication local

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

end

That's where you'll want to debug nat. You can limit the output by doing this:

config t
access-list 30 permit host 192.168.1.250
end

debug ip nat 30
term mon

Do the above while telnetted to the router, then try to access your web server. You should see some output. Post it here.

Here is what I get after two attempts:

*May 26 01:34:13.051: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [47053]
*May 26 01:34:15.907: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [47055]
*May 26 01:34:21.943: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [47057]
*May 26 01:34:33.931: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [47070]
*May 26 01:35:21.927: NAT: expiring 208.33.154.71 (192.168.1.250) tcp 80 (80)
*May 26 01:35:34.215: NAT: expiring 208.33.154.71 (192.168.1.250) tcp 80 (80)
*May 26 01:37:12.991: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [47168]
*May 26 01:37:16.003: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [47170]
*May 26 01:37:22.043: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [47172]
*May 26 01:38:22.187: NAT: expiring 208.33.154.71 (192.168.1.250) tcp 80 (80)

OK, run this then:
debug ip nat 30 detail

That will give us a lot more info. But what it looks like is that it is being translated, but replies aren't making it back into NAT. That's why I suggested removing all the access list, inspects, etc. so we can isolate the problem.

OK here is what I have now:


Router#term mon
Router#
*May 26 01:54:16.627: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up
*May 26 01:54:17.271: NAT*: o: tcp (63.168.91.70, 4172) -> (208.33.154.71, 80) [48240]
*May 26 01:54:17.271: NAT*: o: tcp (63.168.91.70, 4172) -> (208.33.154.71, 80) [48240]
*May 26 01:54:17.271: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [48240]
*May 26 01:54:18.915: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up
*May 26 01:54:19.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to up
*May 26 01:54:20.247: NAT*: o: tcp (63.168.91.70, 4172) -> (208.33.154.71, 80) [48243]
*May 26 01:54:20.247: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [48243]
*May 26 01:54:23.407: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 1595 got 1595
*May 26 01:54:26.283: NAT*: o: tcp (63.168.91.70, 4172) -> (208.33.154.71, 80) [48249]
*May 26 01:54:26.283: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [48249]
*May 26 01:54:43.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down
*May 26 01:54:44.287: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up
*May 26 01:54:45.287: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to up
*May 26 01:54:53.407: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 137 got 25
*May 26 01:54:57.947: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 1597 got 1597
*May 26 01:55:26.699: NAT: expiring 208.33.154.71 (192.168.1.250) tcp 80 (80)
*May 26 01:55:27.947: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 137 got 26
*May 26 01:55:29.331: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1031 got 1031
*May 26 01:55:32.487: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 1599 got 1599
*May 26 01:55:33.911: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1033 got 1033
*May 26 01:55:34.399: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1034 got 1034
*May 26 01:55:35.775: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1036 got 1036
*May 26 01:56:02.487: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 137 got 27
*May 26 01:56:07.051: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 1601 got 1601
*May 26 01:56:17.895: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1045 got 1045
*May 26 01:56:18.451: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1049 got 1049
*May 26 01:56:21.267: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1055 got 1055
*May 26 01:56:22.323: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 512 got 512
*May 26 01:56:22.379: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1056 got 1056
*May 26 01:56:23.227: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1057 got 1057
*May 26 01:56:23.315: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1058 got 1058
*May 26 01:56:30.619: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1067 got 1067
*May 26 01:56:41.571: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 1602 got 1602
*May 26 01:56:42.355: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1069 got 1069
*May 26 01:56:42.479: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1070 got 1070
*May 26 01:56:42.511: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1071 got 1071

Just to make sure we're not missing something, do this:
u all [turns off debugging]
debug ip nat detail

and try again. But then try at the very least adding this line to the config temporarily:
access-list 199 permit tcp any any eq www

It looks to me like your inbound session is NATting fine, but no traffic is coming back and it never gets Natted back out.

Here is the NAT detail without the access-list addition and then follwong that... with the access-list addition.

Router#term mon
Router#
*May 26 02:49:22.027: NAT: i: tcp (192.168.1.3, 1731) -> (10.81.10.10, 139) [7190]
*May 26 02:49:22.027: NAT: s=192.168.1.3->208.33.154.71, d=10.81.10.10 [7190]
*May 26 02:49:22.131: NAT: expiring 208.33.154.71 (192.168.1.3) tcp 1727 (1727)
*May 26 02:49:22.875: NAT*: o: tcp (63.168.91.70, 4358) -> (208.33.154.71, 80) [53202]
*May 26 02:49:22.875: NAT*: o: tcp (63.168.91.70, 4358) -> (208.33.154.71, 80) [53202]
*May 26 02:49:22.875: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [53202]
*May 26 02:49:24.107: NAT*: i: tcp (192.168.1.3, 1732) -> (10.1.10.80, 82) [7446]
*May 26 02:49:24.107: NAT*: s=192.168.1.3->208.33.154.71, d=10.1.10.80 [7446]
*May 26 02:49:24.419: NAT*: i: tcp (192.168.1.6, 1057) -> (216.155.193.169, 25)[8310]
*May 26 02:49:24.419: NAT*: s=192.168.1.6->208.33.154.71, d=216.155.193.169 [8310]
*May 26 02:49:24.699: NAT*: o: tcp (216.155.193.169, 25) -> (208.33.154.71, 1057) [11971]
*May 26 02:49:24.699: NAT*: s=216.155.193.169, d=208.33.154.71->192.168.1.6 [11971]
*May 26 02:49:25.891: NAT*: o: tcp (63.168.91.70, 4358) -> (208.33.154.71, 80) [53206]
*May 26 02:49:25.891: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [53206]
*May 26 02:49:28.923: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 137 got 18
*May 26 02:49:28.923: NAT: i: tcp (192.168.1.3, 1731) -> (10.81.10.10, 139) [56087]
*May 26 02:49:28.923: NAT: s=192.168.1.3->208.33.154.71, d=10.81.10.10 [56087]
*May 26 02:49:28.923: NAT: i: udp (192.168.1.3, 137) -> (10.81.10.10, 137) [7702]
*May 26 02:49:28.923: NAT: UDP s=137->18, d=137
*May 26 02:49:28.923: NAT: s=192.168.1.3->208.33.154.71, d=10.81.10.10 [7702]
*May 26 02:49:30.419: NAT: i: udp (192.168.1.3, 137) -> (10.81.10.10, 137) [7958]
*May 26 02:49:30.419: NAT: UDP s=137->18, d=137
*May 26 02:49:30.419: NAT: s=192.168.1.3->208.33.154.71, d=10.81.10.10 [7958]
*May 26 02:49:31.827: NAT*: o: tcp (63.168.91.70, 4358) -> (208.33.154.71, 80) [53228]
*May 26 02:49:31.827: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [53228]
*May 26 02:49:31.919: NAT: i: udp (192.168.1.3, 137) -> (10.81.10.10, 137) [8214]
*May 26 02:49:31.919: NAT: UDP s=137->18, d=137
*May 26 02:49:31.919: NAT: s=192.168.1.3->208.33.154.71, d=10.81.10.10 [8214]
*May 26 02:49:33.463: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 1734 got 1734
*May 26 02:49:33.463: NAT: i: tcp (192.168.1.3, 1734) -> (10.61.10.10, 139) [8470]
*May 26 02:49:33.463: NAT: s=192.168.1.3->208.33.154.71, d=10.61.10.10 [8470]
*May 26 02:49:36.687: NAT: i: tcp (192.168.1.3, 1734) -> (10.61.10.10, 139) [8726]
*May 26 02:49:36.687: NAT: s=192.168.1.3->208.33.154.71, d=10.61.10.10 [8726]
*May 26 02:49:37.235: NAT*: i: tcp (192.168.1.3, 1732) -> (10.1.10.80, 82) [8982]
*May 26 02:49:37.235: NAT*: s=192.168.1.3->208.33.154.71, d=10.1.10.80 [8982]
*May 26 02:49:40.051: NAT: expiring 208.33.154.71 (192.168.1.3) tcp 1729 (1729)
*May 26 02:49:41.075: NAT: expiring 208.33.154.71 (192.168.1.3) udp 12 (137)
*May 26 02:49:43.251: NAT: i: tcp (192.168.1.3, 1734) -> (10.61.10.10, 139) [9238]
*May 26 02:49:43.251: NAT: s=192.168.1.3->208.33.154.71, d=10.61.10.10 [9238]
*May 26 02:49:44.263: NAT: i: tcp (192.168.1.3, 1732) -> (10.1.10.80, 82) [56096]
*May 26 02:49:44.263: NAT: s=192.168.1.3->208.33.154.71, d=10.1.10.80 [56096]
*May 26 02:49:54.899: NAT: expiring 208.33.154.71 (192.168.1.3) tcp 1730 (1730)
*May 26 02:49:56.379: NAT: i: tcp (192.168.1.3, 1734) -> (10.61.10.10, 139) [9750]
*May 26 02:49:56.379: NAT: s=192.168.1.3->208.33.154.71, d=10.61.10.10 [9750]
*May 26 02:50:03.463: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 137 got 19
*May 26 02:50:03.463: NAT: i: tcp (192.168.1.3, 1734) -> (10.61.10.10, 139) [56102]
*May 26 02:50:03.463: NAT: s=192.168.1.3->208.33.154.71, d=10.61.10.10 [56102]
*May 26 02:50:03.463: NAT: i: udp (192.168.1.3, 137) -> (10.61.10.10, 137) [10006]
*May 26 02:50:03.463: NAT: UDP s=137->19, d=137
*May 26 02:50:03.463: NAT: s=192.168.1.3->208.33.154.71, d=10.61.10.10 [10006]
*May 26 02:50:03.491: NAT: Allocated Port for 192.168.1.3 -> 208.33.154.71: wanted 1736 got 1736
*May 26 02:50:03.491: NAT*: i: tcp (192.168.1.3, 1736) -> (10.1.10.80, 82) [10262]
*May 26 02:50:03.491: NAT*: i: tcp (192.168.1.3, 1736) -> (10.1.10.80, 82) [10262]
*May 26 02:50:03.491: NAT*: s=192.168.1.3->208.33.154.71, d=10.1.10.80 [10262]
*May 26 02:50:04.959: NAT: i: udp (192.168.1.3, 137) -> (10.61.10.10, 137) [10518]
*May 26 02:50:04.959: NAT: UDP s=137->19, d=137
*May 26 02:50:04.959: NAT: s=192.168.1.3->208.33.154.71, d=10.61.10.10 [10518]
*May 26 02:50:06.459: NAT: i: udp (192.168.1.3, 137) -> (10.61.10.10, 137) [10774]
*May 26 02:50:06.459: NAT: UDP s=137->19, d=137
*May 26 02:50:06.459: NAT: s=192.168.1.3->208.33.154.71, d=10.61.10.10 [10774]
*May 26 02:50:06.771: NAT*: i: tcp (192.168.1.3, 1736) -> (10.1.10.80, 82) [11030]
*May 26 02:50:06.771: NAT*: s=192.168.1.3->208.33.154.71, d=10.1.10.80 [11030]
Router#exit

===================================================================
===================================================================
===================================================================
Wow that started spitting out all kinds of data!
With the access-list addition:

07]
*May 26 02:56:18.383: NAT*: s=192.168.1.6->208.33.154.71, d=66.94.230.134 [907]
*May 26 02:56:18.383: NAT*: i: tcp (192.168.1.6, 1110) -> (66.94.230.134, 80) [908]
*May 26 02:56:18.383: NAT*: s=192.168.1.6->208.33.154.71, d=66.94.230.134 [908]
*May 26 02:56:18.383: NAT*: i: tcp (192.168.1.6, 1111) -> (209.62.180.90, 80) [910]
*May 26 02:56:18.383: NAT*: s=192.168.1.6->208.33.154.71, d=209.62.180.90 [910]
*May 26 02:56:18.387: NAT*: i: tcp (192.168.1.6, 1087) -> (205.188.97.54, 80) [912]
*May 26 02:56:18.387: NAT*: s=192.168.1.6->208.33.154.71, d=205.188.97.54 [912]
*May 26 02:56:18.387: NAT*: i: tcp (192.168.1.6, 1094) -> (64.236.41.79, 80) [914]
*May 26 02:56:18.387: NAT*: s=192.168.1.6->208.33.154.71, d=64.236.41.79 [914]
*May 26 02:56:18.791: NAT*: o: tcp (209.62.180.90, 80) -> (208.33.154.71, 1111)[3684]
*May 26 02:56:18.791: NAT*: s=209.62.180.90, d=208.33.154.71->192.168.1.6 [3684]
*May 26 02:56:18.791: NAT*: o: tcp (66.94.230.134, 80) -> (208.33.154.71, 1110)[56681]
*May 26 02:56:18.795: NAT*: s=66.94.230.134, d=208.33.154.71->192.168.1.6 [56681]
*May 26 02:56:18.795: NAT*: o: tcp (66.94.230.134, 80) -> (208.33.154.71, 1110)[56682]
*May 26 02:56:18.795: NAT*: s=66.94.230.134, d=208.33.154.71->192.168.1.6 [56682]
*May 26 02:56:18.795: NAT*: o: tcp (205.188.97.54, 80) -> (208.33.154.71, 1087)[56626]
*May 26 02:56:18.795: NAT*: s=205.188.97.54, d=208.33.154.71->192.168.1.6 [56626]
*May 26 02:56:18.795: NAT*: i: tcp (192.168.1.6, 1111) -> (209.62.180.90, 80) [917]
*May 26 02:56:18.795: NAT*: s=192.168.1.6->208.33.154.71, d=209.62.180.90 [917]
*May 26 02:56:18.795: NAT*: i: tcp (192.168.1.6, 1110) -> (66.94.230.134, 80) [918]
*May 26 02:56:18.799: NAT*: s=192.168.1.6->208.33.154.71, d=66.94.230.134 [918]
*May 26 02:56:18.827: NAT*: i: tcp (192.168.1.6, 1111) -> (209.62.180.90, 80) [919]
*May 26 02:56:18.827: NAT*: s=192.168.1.6->208.33.154.71, d=209.62.180.90 [919]
*May 26 02:56:18.863: NAT*: i: tcp (192.168.1.6, 1110) -> (66.94.230.134, 80) [920]
*May 26 02:56:18.863: NAT*: s=192.168.1.6->208.33.154.71, d=66.94.230.134 [920]
*May 26 02:56:18.883: NAT*: o: tcp (209.62.180.90, 80) -> (208.33.154.71, 1111)[3935]
*May 26 02:56:18.883: NAT*: s=209.62.180.90, d=208.33.154.71->192.168.1.6 [3935]
*May 26 02:56:18.947: NAT*: i: tcp (192.168.1.6, 1087) -> (205.188.97.54, 80) [922]
*May 26 02:56:18.947: NAT*: s=192.168.1.6->208.33.154.71, d=205.188.97.54 [922]
*May 26 02:56:18.979: NAT*: o: tcp (66.94.230.134, 80) -> (208.33.154.71, 1110)[56763]
*May 26 02:56:18.979: NAT*: s=66.94.230.134, d=208.33.154.71->192.168.1.6 [56763]
*May 26 02:56:19.039: NAT*: o: tcp (205.188.97.54, 80) -> (208.33.154.71, 1087)[20754]
*May 26 02:56:19.043: NAT*: s=205.188.97.54, d=208.33.154.71->192.168.1.6 [20754]
*May 26 02:56:19.083: NAT*: o: tcp (205.188.97.54, 80) -> (208.33.154.71, 1087)[62822]
*May 26 02:56:19.083: NAT*: s=205.188.97.54, d=208.33.154.71->192.168.1.6 [62822]
*May 26 02:56:19.095: NAT*: o: tcp (205.188.97.54, 80) -> (208.33.154.71, 1087)[63078]
*May 26 02:56:19.095: NAT*: s=205.188.97.54, d=208.33.154.71->192.168.1.6 [63078]
*May 26 02:56:19.095: NAT*: i: tcp (192.168.1.6, 1087) -> (205.188.97.54, 80) [925]
*May 26 02:56:19.095: NAT*: s=192.168.1.6->208.33.154.71, d=205.188.97.54 [925]
*May 26 02:56:19.379: NAT*: i: tcp (192.168.1.6, 1093) -> (64.236.41.79, 80) [926]
*May 26 02:56:19.379: NAT*: s=192.168.1.6->208.33.154.71, d=64.236.41.79 [926]
*May 26 02:56:19.483: NAT*: i: tcp (192.168.1.6, 1099) -> (64.236.41.79, 80) [928]
*May 26 02:56:19.483: NAT*: s=192.168.1.6->208.33.154.71, d=64.236.41.79 [928]
*May 26 02:56:19.499: NAT*: o: tcp (64.236.41.79, 80) -> (208.33.154.71, 1093) [37352]
*May 26 02:56:19.499: NAT*: s=64.236.41.79, d=208.33.154.71->192.168.1.6 [37352]
*May 26 02:56:19.515: NAT*: i: tcp (192.168.1.6, 1098) -> (64.236.41.79, 80) [931]
*May 26 02:56:19.515: NAT*: s=192.168.1.6->208.33.154.71, d=64.236.41.79 [931]
*May 26 02:56:19.543: NAT*: i: tcp (192.168.1.6, 1094) -> (64.236.41.79, 80) [933]
*May 26 02:56:19.543: NAT*: s=192.168.1.6->208.33.154.71, d=64.236.41.79 [933]
*May 26 02:56:19.583: NAT: i: udp (192.168.1.6, 1031) -> (199.2.252.10, 53) [916]
*May 26 02:56:19.587: NAT: s=192.168.1.6->208.33.154.71, d=199.2.252.10 [916]
*May 26 02:56:19.599: NAT: i: udp (192.168.1.6, 1055) -> (199.2.252.10, 53) [921]
*May 26 02:56:19.599: NAT: s=192.168.1.6->208.33.154.71, d=199.2.252.10 [921]
*May 26 02:56:19.599: NAT: i: udp (192.168.1.6, 1085) -> (199.2.252.10, 53) [924]
*May 26 02:56:19.599: NAT: s=192.168.1.6->208.33.154.71, d=199.2.252.10 [924]
*May 26 02:56:19.599: NAT: i: udp (192.168.1.6, 1082) -> (199.2.252.10, 53) [930]
*May 26 02:56:19.599: NAT: s=192.168.1.6->208.33.154.71, d=199.2.252.10 [930]
*May 26 02:56:19.743: NAT*: o: tcp (64.236.41.79, 80) -> (208.33.154.71, 1099) [1701]
*May 26 02:56:19.743: NAT*: s=64.236.41.79, d=208.33.154.71->192.168.1.6 [1701]
*May 26 02:56:20.543: NAT: i: udp (192.168.1.6, 1031) -> (199.2.252.10, 53) [939]
*May 26 02:56:20.547: NAT: s=192.168.1.6->208.33.154.71, d=199.2.252.10 [939]
*May 26 02:56:20.547: NAT: i: udp (192.168.1.6, 1055) -> (199.2.252.10, 53) [942]
*May 26 02:56:20.547: NAT: s=192.168.1.6->208.33.154.71, d=199.2.252.10 [942]
*May 26 02:56:20.547: NAT: i: udp (192.168.1.6, 1085) -> (199.2.252.10, 53) [948]
*May 26 02:56:20.547: NAT: s=192.168.1.6->208.33.154.71, d=199.2.252.10 [948]
*May 26 02:56:20.547: NAT: i: udp (192.168.1.6, 1082) -> (199.2.252.10, 53) [951]
*May 26 02:56:20.547: NAT: s=192.168.1.6->208.33.154.71, d=199.2.252.10 [951]
*May 26 02:56:20.883: NAT*: o: tcp (64.236.41.79, 80) -> (208.33.154.71, 1093) [37353]
*May 26 02:56:20.883: NAT*: s=64.236.41.79, d=208.33.154.71->192.168.1.6 [37353]
*May 26 02:56:20.883: NAT*: o: tcp (205.188.165.121, 80) -> (208.33.154.71, 1103) [18922]
*May 26 02:56:20.887: NAT*: s=205.188.165.121, d=208.33.154.71->192.168.1.6 [18922]
*May 26 02:56:20.887: NAT*: o: udp (68.142.233.74, 3478) -> (208.33.154.71, 1101) [49139]
*May 26 02:56:20.887: NAT*: s=68.142.233.74, d=208.33.154.71->192.168.1.6 [49139]
*May 26 02:56:20.887: NAT*: o: udp (68.142.233.74, 3478) -> (208.33.154.71, 1101) [49238]
*May 26 02:56:20.887: NAT*: s=68.142.233.74, d=208.33.154.71->192.168.1.6 [49238]
*May 26 02:56:20.887: NAT*: o: udp (68.142.233.74, 3478) -> (208.33.154.71, 1101) [49495]
*May 26 02:56:20.887: NAT*: s=68.142.233.74, d=208.33.154.71->192.168.1.6 [49495]
*May 26 02:56:20.887: NAT*: o: udp (68.142.233.74, 3478) -> (208.33.154.71, 1101) [49575]
*May 26 02:56:20.887: NAT*: s=68.142.233.74, d=208.33.15exit4.71->192.168.1.6 [49575]
*May 26 02:56:21.679: NAT*: i: udp (192.168.1.6, 1101) -> (68.142.233.74, 3478)[954]
*May 26 02:56:21.679: NAT*: s=192.168.1.6->208.33.154.71, d=68.142.233.74 [954]
*May 26 02:56:21.679: NAT*: i: tcp (192.168.1.6, 1093) -> (64.236.41.79, 80) [956]
*May 26 02:56:21.679: NAT*: s=192.168.1.6->208.33.154.71, d=64.236.41.79 [956]
*May 26 02:56:21.679: NAT*: i: udp (192.168.1.6, 1101) -> (68.142.233.74, 3478)[957]
*May 26 02:56:21.679: NAT*: s=192.168.1.6->208.33.154.71, d=68.142.233.74 [957]
*May 26 02:56:21.683: NAT*: i: tcp (192.168.1.6, 1103) -> (205.188.165.121, 80)[958]
*May 26 02:56:21.683: NAT*: s=192.168.1.6->208.33.154.71, d=205.188.165.121 [958]
*May 26 02:56:21.683: NAT*: i: udp (192.168.1.6, 1101) -> (68.142.233.74, 3478)[959]
*May 26 02:56:21.683: NAT*: s=192.168.1.6->208.33.154.71, d=68.142.233.74 [959]
*May 26 02:56:21.683: NAT*: i: udp (192.168.1.6, 1101) -> (68.142.233.74, 3478)[961]
*May 26 02:56:21.683: NAT*: s=192.168.1.6->208.33.154.71, d=68.142.233.74 [961]
*May 26 02:56:21.683: NAT: o: udp (199.2.252.10, 53) -> (208.33.154.71, 1055) [45249]
*May 26 02:56:21.687: NAT: s=199.2.252.10, d=208.33.154.71->192.168.1.6 [45249]
*May 26 02:56:21.687: NAT: i: udp (192.168.1.6, 1031) -> (204.117.214.10, 53) [952]
*May 26 02:56:21.687: NAT: s=192.168.1.6->208.33.154.71, d=204.117.214.10 [952]
*May 26 02:56:21.687: NAT: Allocated Port for 192.168.1.6 -> 208.33.154.71: wanted 1113 got 1113
*May 26 02:56:21.687: NAT*: i: tcp (192.168.1.6, 1113) -> (66.218.72.56, 80) [962]
*May 26 02:56:21.687: NAT*: i: tcp (192.168.1.6, 1113) -> (66.218.72.56, 80) [962]
*May 26 02:56:21.687: NAT*: s=192.168.1.6->208.33.154.71, d=66.218.72.56 [962]

So, I don't see 192.168.1.250 coming back here at all. You can see a couple of times where your inbound session was translated:
*May 26 02:49:25.891: NAT*: o: tcp (63.168.91.70, 4358) -> (208.33.154.71, 80) [53206]
*May 26 02:49:25.891: NAT*: s=63.168.91.70, d=208.33.154.71->192.168.1.250 [53206]

This says that an outside at the outside NAT interface of 63.168.91.70 sent tcp to port 80 on 208.33.154.71. then it displays the actualy translation which is what it should be. But I never see any traffic come back FROM 192.168.1.250. It would look something like:
*May 26 02:49:25.898: NAT*: i: tcp (192.168.1.250, 80) -> (63.168.91.70, 4358) [2345]
*May 26 02:49:25.898: NAT*: s=192.168.1.250->208.33.154.71, d=63.168.91.70 [2345

So it looks like the web server is not sending responses back to the router, or the router is dropping them before they're even getting to the NAT process. I would still temporarily remove all of your access control on the interfaces- access groups and inspect, and see if it works. Then put it back. You have to isolate the problem before you can fix it.

I suspect that your ip inspect isn't working correctly and is blocking the http replies for some reason. But I don't know.

I turned off access-group 199... should I turn these others off as well?

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 30 permit 192.168.1.250
access-list 101 permit ip host 0.0.0.0 any

I went ahead and removed the  access-lists 30 and 101

I removed access-list 1, but it cut off their internet and email access so I had to put it back.

Still timing out when trying to access the website externally via the external IP address.

 I had them check the web server internally using 192.168.1.250 and it works.

Should I post my config, so you know where we are at? I am also willing to award points on this and open a fresh one. I really appreciate your effort to help me.

I'm probably not supposed to ask this, but are you interested in a side job fixing this problem?

I don't see anything in the usage guidelines that would prevent you asking that. I'm not sure I can given my own employment and a lack of physical access (unless you're in the SF Bay Area) but it might work out. You can email me at mike-dot-bernhardt-at-comcast-dot-net and we can go from there.

Regarding your last access list questions:
1. Where is access-list 101 used anyway? It permits the host 0.0.0.0 to access anything?
2. access-list 30 was for NAT debugging so it has no effect on normal traffic.
3. Yes, please post the outpur of "show runn" so we can see exactly where you are.

Also, I suggested you remove the "ip inspect OUTBOUND out " from Fast4. Please try that along with removing access-group 199 in. Once ALL access control is gone we can see if the problem is NAT or the access control. Then if it's access control we can modify it so it will work.

OK I will work on this later today. ALso, I tried to email you the other day, but it bounced back.

Not sure why it bounced back, what I gave you is fine if you just substitute and get rid of all the dashes.

They are trying to work with Cisco on getting it configured so I am going to close this and award the points. If cisco is not able to help him I will post a new question. Thanks for the extreme amount of effort to help. It is greatly appreciated.