troubleshooting Question

Cisco 1811 NAT'ing SSL connection

Avatar of BooSTid
BooSTid asked on
RoutersWeb ServersNetworking Hardware-Other
10 Comments1 Solution399 ViewsLast Modified:
I'm trying to set up a Cisco 1811 for a client with an extremely simplistic network topology and a very straightforward config. However for some reason I'm failing miserably.

They originally had an IP cop doing all of their routing and firewall services, with port forwarding enabled for 443 to their web server.

I'm trying to emulate that on an 1811.

I've used what I believe to be the correct nat statement:

ip nat inside source static tcp 10.10.0.1 443 interface FastEthernet0 443

This was not working. Originally, even with that statement in place, it would process https: requests like I was trying to access cisco sdm over https. I then removed the https server and http secure-server statements, and now it doesn't seem to do anything with the request.

I've used portforward.com's web tool to try and verify port forwarding and connectivity; it would work when I had it nat'd to my computer, and then would fail when I removed or changed the nat statement, indicating that it is indeed NAT'ing correctly.

The web server is on a Server 2000 machine, so there is no windows firewall or really any other devices in the way other than a switch. All connectivity is verified, and i am able to hit the site internally. I've posted the config; don't mind the ACL's too much, i was monkeying with them in an attempt to cause an effect. I've put their IP Cop back in place so that they're in production, but I need to wrap this up asap. please help!
Building configuration...
 
 
 
Current configuration : 4303 bytes
 
!
 
version 12.4
 
service timestamps debug datetime msec
 
service timestamps log datetime msec
 
no service password-encryption
 
!
 
hostname PIEI_1811
 
!
 
boot-start-marker
 
boot-end-marker
 
!
 
logging buffered 51200 warnings
 
!
 
no aaa new-model
 
!
 
resource policy
 
!
 
!
 
!
 
no ip cef
 
!
 
!
 
no ip domain lookup
 
ip domain name piei.local
 
ip name-server 208.77.63.162
 
ip name-server 208.77.63.163
 
!
 
!
 
crypto pki trustpoint TP-self-signed-535423446
 
 enrollment selfsigned
 
 subject-name cn=IOS-Self-Signed-Certificate-535423446
 
 revocation-check none
 
 rsakeypair TP-self-signed-535423446
 
!
 
!
 
crypto pki certificate chain TP-self-signed-535423446
 
 certificate self-signed 01
 
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
 
  69666963 6174652D 35333534 32333434 36301E17 0D303931 30323130 31323131
 
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 35343233
 
  34343630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
 
  AD088505 273FE0E9 9070C8EE 921B9598 54D79ED2 6CAA939D B44AD2AF DBAE1AED
 
  8BDF023C EEAA1CB1 0F4869A6 6B8AC44A 99C20554 C0DDDC84 1AC88D78 3233F7FB
 
  AE3E98F5 C8EF2889 5EA8414D EB0AA1DE BF8DD621 FB054CA5 DA75337B F9F80C38
 
  A9009ADC A7E1D19B 351907F0 2E00B677 8DA263F9 76C3EAE0 C5147BA2 E4B4331B
 
  02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
 
  11041830 16821450 4945495F 31383131 2E706965 692E6C6F 63616C30 1F060355
 
  1D230418 30168014 287DC414 FCAFFC2D 9776042D B98FB842 67B0878B 301D0603
 
  551D0E04 16041428 7DC414FC AFFC2D97 76042DB9 8FB84267 B0878B30 0D06092A
 
  864886F7 0D010104 05000381 81001DB2 44637B84 544A68FE DDC902E3 EEE5B783
 
  C50B92FC 92BABAEB 7931CB2F D4FD7367 D8CC2291 146D3C6E 0E306B80 0AEAE6EA
 
  078458FB D08D02F4 178D8F72 D4A296D1 DB9ABAB3 F30E8B1B A0E4B3B2 4C03AF71
 
  4A80B6A7 70DADC5F 6C446008 5030F2ED 3DB5B5F7 3D93E934 5DE9E6F0 D76942FD
 
  A8351FF6 251A2AA0 15490DF3 91CC
 
  quit
 
username **** privilege 15 secret 5 *********
 
!
 
!
 
!
 
!
 
!
 
!
 
interface FastEthernet0
 
 description $ETH-WAN$
 
 ip address 208.77.58.100 255.255.255.0
 
 ip nat outside
 
 ip virtual-reassembly
 
 speed 100
 
 half-duplex
 
!
 
interface FastEthernet1
 
 description $ETH-LAN$
 
 ip address 10.10.0.10 255.255.255.0
 
 ip access-group 10 in
 
 ip nat inside
 
 ip virtual-reassembly
 
 duplex auto
 
 speed auto
 
!
 
interface FastEthernet2
 
 description Main Network
 
 spanning-tree portfast
 
!
 
interface FastEthernet3
 
 description Main Network
 
!
 
interface FastEthernet4
 
 description Main Network
 
!
 
interface FastEthernet5
 
 description Main Network
 
!
 
interface FastEthernet6
 
 description Main Network
 
!
 
interface FastEthernet7
 
 description Main Network
 
!
 
interface FastEthernet8
 
 description Main Network
 
!
 
interface FastEthernet9
 
 description Main Network
 
!
 
interface Vlan1
 
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
 
 no ip address
 
 ip nat inside
 
 ip virtual-reassembly
 
!
 
interface Async1
 
 no ip address
 
 encapsulation slip
 
!
 
ip default-gateway 208.77.58.97
 
ip route 0.0.0.0 0.0.0.0 208.77.58.97
 
!
 
!
 
no ip http server
 
no ip http secure-server
 
ip nat inside source list 3 interface FastEthernet0 overload
 
ip nat inside source static tcp 10.10.0.1 8833 interface FastEthernet0 8833
 
ip nat inside source static tcp 10.10.0.1 80 interface FastEthernet0 80
 
ip nat inside source static tcp 10.10.0.1 443 interface FastEthernet0 443
 
!
 
access-list 2 remark SDM_ACL Category=2
 
access-list 2 permit 10.10.0.0 0.0.0.255
 
access-list 3 permit 10.10.0.0 0.0.0.255
 
access-list 10 permit any
 
access-list 101 permit ip any any
 
access-list 105 permit ip any any
 
access-list 105 permit ip host 10.10.0.1 host 208.77.58.100
 
access-list 105 permit tcp host 10.10.0.1 host 208.77.58.100 eq 443
 
access-list 105 permit tcp any host 10.10.0.1 eq 443
 
!
 
!
 
!
 
!
 
!
 
!
 
control-plane
 
!
 
banner exec ^CO U^C
 
banner login ^Co Unauthorized Access
 
^C
 
!
 
line con 0
 
 login local
 
line 1
 
 modem InOut
 
 stopbits 1
 
 speed 115200
 
 flowcontrol hardware
 
line aux 0
 
line vty 0 4
 
 privilege level 15
 
 password *****
 
 login
 
 transport input telnet
 
!
 
!
 
webvpn context Default_context
 
 ssl authenticate verify all
 
 !
 
 no inservice
 
!
 
!
 
 !
 
 no inservice
 
!
 
end
ASKER CERTIFIED SOLUTION
BooSTid

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 10 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 10 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros