No access to internal web server from behind Cisco 877 with firewall enabled

Hi,
I have a Cisco 877-K9 router that i have configured with SDM low-security firewall (IP address 192.168.1.1). I have enabled remote access via RDP and checked that it works OK, which it did. However, i also have an internal webserver at IP address 192.168.1.105, that cannot be reached from the Internet > putting in the web address brings up the Cisco user/pass dialogue box. i have put in enable any any http and https for outbound connections, and put in http, https and FTP to go to internal webserver at 192.168.1.105. However, cannot get access to the website from outside.
i have included a print out of the running-config. Any help on this matter would be greatly appreciated.
Regards,
Andrew

Building configuration...

Current configuration : 8745 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$FG5d$iAww26kjtx3FikTp5I.cK0
!
no aaa new-model
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-995738514
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-995738514
 revocation-check none
 rsakeypair TP-self-signed-995738514
!
!
crypto pki certificate chain TP-self-signed-995738514
 certificate self-signed 02
  3082025A 308201C3 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39393537 33383531 34301E17 0D303831 31303530 37343333
  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3939 35373338
  35313430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  BA133185 7463688C 14CEC34C 446DC9FA EAA33B69 03585088 8773D8D4 8A492701
  5D100A07 31EFBC70 AFB91364 45F12A3F FCC01600 90A403C6 7430FEB0 93A9BB7F
  0D934AF0 5699476E DDB3E5F9 EEC38C32 3954857D 44BF72EC DBBA25C0 E36EDA72
  CF5E7181 0D3B0B9C FC536003 41F43B9E 0AB40625 EF418B49 9E371322 534CC063
  02030100 01A38183 30818030 0F060355 1D130101 FF040530 030101FF 302D0603
  551D1104 26302482 224F5343 4F4C4C45 4354494F 4E532E6F 73636F6C 6C656374
  696F6E73 2E636F6D 2E617530 1F060355 1D230418 30168014 F4BA2CB7 3576EED1
  3236F1F9 709B322D 3BBE3C80 301D0603 551D0E04 160414F4 BA2CB735 76EED132
  36F1F970 9B322D3B BE3C8030 0D06092A 864886F7 0D010104 05000381 81007995
  4C469A88 325CC5DA 61CE4176 0F909AF3 7BECDB21 4050BF6F C8F7C996 36AB8B11
  D00819E4 D7D02C1A 1B3FD69E 4F35606F C3928E85 65221752 463FC7B3 F9D74C60
  70353942 EE8660AF 92E3BA12 D0A1AFBB 5FFBBD01 F3C672AB 4815FC1C 56302D81
  20AE4DA3 7BA29CF8 AD1A22B9 480D669E 4467DE5E A1D79E15 06EDF22A 7FCA
        quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 192.168.1.231 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 203.12.160.35 203.12.160.36
   default-router 192.168.1.1
!
!
ip port-map user-protocol--1 port tcp 3389
no ip bootp server
ip domain name oscollections.com.au
ip name-server 203.12.160.35
ip name-server 203.12.160.36
!
!
!
username admin privilege 15 secret 5 $1$wAv1$Fq.DG2VQovRTwF3fJeEtt.
!
!
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 102
 match protocol user-protocol--1
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1
 match protocol http
 match protocol https
 match protocol ftp
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-service-sdm-inspect-1
 match protocol http
 match protocol https
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-protocol-http
 match class-map sdm-service-sdm-inspect-1
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname XXXXXXXXXX
 ppp chap password 7 101A584028161B05
 ppp pap sent-username XXXXXXXXXXX password 7 1443435221052325
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.105 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.100 3389 interface Dialer0 3389
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.105 443 interface Dialer0 443
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.1.105
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.100
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
andrewlewis4554Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
I would think you might need something like this to create an acl to define the traffic allowed, create a class map, apply the class map to a policy, then apply the policy to out-in zone. Ah, the joys of the new zone security model..

access-list 105 permit tcp any interface Dialer0 eq 80
access-list 105 permit tcp any interface Dialer0 eq 3389
 (not sure it will work using the interface designation or if you have to use the actual host ip address)

class-map type inspect match-all out-in
 match access-group 101
!
!
policy-map type inspect sdm-out-in
 class type inspect out-in
  inspect
 class class-default
  pass

zone-pair security outside-in source out-zone destination in-zone
 service-policy type inspect sdm-out-in

0
andrewlewis4554Author Commented:
Thank you for your reply. I will input those commands via CLI today, and let you know if it resolves the problem.
Regards,
Andrew
0
andrewlewis4554Author Commented:
Upon further investigation, i realised i may have confused you with the previous problem. In actual fact, the website loads up externally when you go to website from outside the internal network, but when we load up the website from the internal network, we are presented with the cisco user/pass pop-up box. i am sure i am just missing some command that resolves the website to the internal IP address of the webserver hosting the website, or something similar. Have put the website inside local intranet sites in IE, but the same problem still exists.
Regards,
Andrew
0
lrmooreCommented:
You can't get to the public ip from inside. This is a design "feature" of Cisco and not a configuration problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.