I'm setting up a cisco 881 (this is my first ios device)
I got everything working the way i want except port forwarding
im trying forward all incoming port 80 traffic to 10.10.10.60 and I don't see that option anywhere in the cisco configuration professional. so i assume ill have to add it command line style
Please also feel free to point out any other issues you feel might cause issues for me. (password have been altered to protect the innocent)
Using 16191 out of 262136 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname MARKONHQ ! boot-start-marker boot-end-marker ! logging message-counter syslog logging buffered 51200 warnings enable secret 5 #password was here# ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! --More-- ! aaa session-id common clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! crypto pki trustpoint TP-self-signed-3499699271 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3499699271 revocation-check none rsakeypair TP-self-signed-3499699271 ! ! crypto pki certificate chain TP-self-signed-3499699271 certificate self-signed 01 nvram:IOS-Self-Sig#D.cer ip source-route ip dhcp excluded-address 10.10.10.1 10.10.10.74 ! ip dhcp pool ccp-pool import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 dns-server #dns servers were here# lease infinite --More-- ! ! ip cef ip domain name markonsolutions.com ip name-server ip name-server ip port-map user-protocol--2 port udp 53322 ip port-map user-protocol--3 port udp 80 ip port-map user-protocol--1 port tcp 53322 ! ! parameter-map type regex ccp-regex-nonascii pattern [^\x00-\x80] parameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com parameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.com --More-- parameter-map type protocol-info yahoo-servers server name scs.msg.yahoo.com server name scsa.msg.yahoo.com server name scsb.msg.yahoo.com server name scsc.msg.yahoo.com server name scsd.msg.yahoo.com server name cs16.msg.dcn.yahoo.com server name cs19.msg.dcn.yahoo.com server name cs42.msg.dcn.yahoo.com server name cs53.msg.dcn.yahoo.com server name cs54.msg.dcn.yahoo.com server name ads1.vip.scd.yahoo.com server name radio1.launch.vip.dal.yahoo.com server name in1.msg.vip.re2.yahoo.com server name data1.my.vip.sc5.yahoo.com server name address1.pim.vip.mud.yahoo.com server name edit.messenger.yahoo.com server name messenger.yahoo.com server name http.pager.yahoo.com server name privacy.yahoo.com server name csa.yahoo.com server name csb.yahoo.com --More-- server name csc.yahoo.com ! ! username admin privilege 15 secret 5 #password was here# username xxxx privilege 15 secret 5 #password was here# ! ! ! archive log config hidekeys ! ! ! class-map type inspect match-all sdm-nat-http-4 match access-group 112 match protocol http class-map type inspect match-all sdm-nat-user-protocol--2-4 match access-group 114 match protocol user-protocol--2 class-map type inspect match-all sdm-nat-user-protocol--2-5 match access-group 116 --More-- match protocol user-protocol--2 class-map type inspect match-all sdm-nat-http-5 match access-group 117 match protocol http class-map type inspect match-all sdm-nat-user-protocol--1-5 match access-group 115 match protocol user-protocol--1 class-map type inspect match-all sdm-nat-user-protocol--1-4 match access-group 113 match protocol user-protocol--1 class-map type inspect match-all sdm-nat-user-protocol--3-1 match access-group 107 match protocol user-protocol--3 class-map type inspect match-all sdm-nat-user-protocol--1-3 match access-group 108 match protocol user-protocol--1 class-map type inspect imap match-any ccp-app-imap match invalid-command class-map type inspect match-all sdm-nat-user-protocol--2-1 match access-group 103 match protocol user-protocol--2 class-map type inspect match-all sdm-nat-http-1 match access-group 102 --More-- match protocol http class-map type inspect match-all sdm-nat-user-protocol--1-2 match access-group 104 match protocol user-protocol--1 class-map type inspect match-all sdm-nat-user-protocol--1-1 match access-group 101 match protocol user-protocol--1 class-map type inspect match-all sdm-nat-user-protocol--2-2 match access-group 106 match protocol user-protocol--2 class-map type inspect match-all sdm-nat-http-2 match access-group 105 match protocol http class-map type inspect match-all sdm-nat-user-protocol--3-2 match access-group 111 match protocol user-protocol--3 class-map type inspect match-all sdm-nat-user-protocol--2-3 match access-group 110 match protocol user-protocol--2 class-map type inspect match-all sdm-nat-http-3 match access-group 109 match protocol http class-map type inspect match-any CCP-Voice-permit --More-- match protocol h323 match protocol skinny match protocol sip class-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp --More-- class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices match service any class-map type inspect msnmsgr match-any ccp-app-msn-otherservices match service any class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any ccp-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-servers class-map type inspect aol match-any ccp-app-aol-otherservices match service any class-map type inspect match-all ccp-protocol-pop3 match protocol pop3 class-map type inspect pop3 match-any ccp-app-pop3 match invalid-command class-map type inspect msnmsgr match-any ccp-app-msn match service text-chat class-map type inspect ymsgr match-any ccp-app-yahoo --More-- match service text-chat class-map type inspect match-all ccp-protocol-im match class-map ccp-cls-protocol-im class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect match-all ccp-invalid-src match access-group 100 class-map type inspect http match-any ccp-app-httpmethods match request method bcopy match request method bdelete match request method bmove match request method bpropfind match request method bproppatch match request method connect match request method copy match request method delete match request method edit match request method getattribute match request method getattributenames match request method getproperties match request method index match request method lock match request method mkcol --More-- match request method mkdir match request method move match request method notify match request method options match request method poll match request method propfind match request method proppatch match request method put match request method revadd match request method revlabel match request method revlog match request method revnum match request method save match request method search match request method setattribute match request method startrev match request method stoprev match request method subscribe match request method trace match request method unedit match request method unlock match request method unsubscribe class-map type inspect http match-any ccp-http-blockparam --More-- match request port-misuse im match request port-misuse p2p match request port-misuse tunneling match req-resp protocol-violation class-map type inspect match-all ccp-protocol-imap match protocol imap class-map type inspect aol match-any ccp-app-aol match service text-chat class-map type inspect match-all ccp-protocol-http match protocol http class-map type inspect http match-any ccp-http-allowparam match request port-misuse tunneling ! ! policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access class class-default pass policy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-user-protocol--1-1 inspect class type inspect sdm-nat-http-1 inspect --More-- class type inspect sdm-nat-user-protocol--2-1 inspect class type inspect sdm-nat-user-protocol--1-2 inspect class type inspect sdm-nat-http-2 inspect class type inspect sdm-nat-user-protocol--2-2 inspect class type inspect sdm-nat-user-protocol--3-1 inspect class type inspect sdm-nat-user-protocol--1-3 inspect class type inspect sdm-nat-http-3 inspect class type inspect sdm-nat-user-protocol--2-3 inspect class type inspect sdm-nat-user-protocol--3-2 inspect class type inspect sdm-nat-http-4 inspect class type inspect sdm-nat-user-protocol--1-4 inspect class type inspect sdm-nat-user-protocol--2-4 --More-- inspect class type inspect sdm-nat-user-protocol--1-5 inspect class type inspect sdm-nat-user-protocol--2-5 inspect class type inspect sdm-nat-http-5 inspect class class-default drop policy-map type inspect im ccp-action-app-im class type inspect aol ccp-app-aol log allow class type inspect msnmsgr ccp-app-msn log allow class type inspect ymsgr ccp-app-yahoo log allow class type inspect aol ccp-app-aol-otherservices log reset class type inspect msnmsgr ccp-app-msn-otherservices --More-- log reset class type inspect ymsgr ccp-app-yahoo-otherservices log reset policy-map type inspect http ccp-action-app-http class type inspect http ccp-http-blockparam log reset class type inspect http ccp-app-httpmethods log reset class type inspect http ccp-http-allowparam log allow policy-map type inspect imap ccp-action-imap class type inspect imap ccp-app-imap log policy-map type inspect pop3 ccp-action-pop3 class type inspect pop3 ccp-app-pop3 log policy-map type inspect ccp-inspect class type inspect ccp-invalid-src --More-- drop log class type inspect ccp-protocol-http inspect service-policy http ccp-action-app-http class type inspect ccp-protocol-imap inspect service-policy imap ccp-action-imap class type inspect ccp-protocol-pop3 inspect service-policy pop3 ccp-action-pop3 class type inspect ccp-protocol-im inspect service-policy im ccp-action-app-im class type inspect ccp-insp-traffic inspect class type inspect CCP-Voice-permit inspect class class-default pass policy-map type inspect ccp-permit class class-default drop ! --More-- zone security out-zone zone security in-zone zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 --More-- description $ETH-WAN$$ES_WAN$$FW_OUTSIDE$ ip address #external IP was here# 255.255.255.224 ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto ! interface wlan-ap0 description Service module interface to manage the embedded AP ip unnumbered Vlan1 arp timeout 0 ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1452 --More-- ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet4 ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat pool websrv 10.10.10.60 10.10.10.60 netmask 255.255.255.0 ip nat inside source list 1 interface FastEthernet4 overload ip nat inside source static tcp 10.10.10.40 53322 interface FastEthernet4 53322 ip nat inside source static udp 10.10.10.40 53322 interface FastEthernet4 53322 ip nat inside source static tcp 10.10.10.60 80 interface FastEthernet4 80 ip nat inside source static tcp #external IP was here# 80 10.10.10.60 80 extendable ! ip access-list extended web remark webservr remark CCP_ACL Category=2 permit ip any host 10.10.10.60 ! access-list 1 remark INSIDE_IF=Vlan1 --More-- access-list 1 remark CCP_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 23 permit 10.10.10.0 0.0.0.7 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 0.0.0.31 any access-list 101 remark CCP_ACL Category=0 access-list 101 permit ip any host 10.10.10.40 access-list 102 remark CCP_ACL Category=0 access-list 102 permit ip any host 10.10.10.60 access-list 103 remark CCP_ACL Category=0 access-list 103 permit ip any host 10.10.10.40 access-list 104 remark CCP_ACL Category=0 access-list 104 permit ip any host 10.10.10.40 access-list 105 remark CCP_ACL Category=0 access-list 105 permit ip any host 10.10.10.60 access-list 106 remark CCP_ACL Category=0 access-list 106 permit ip any host 10.10.10.40 access-list 107 remark CCP_ACL Category=0 access-list 107 permit ip any host 10.10.10.60 access-list 108 remark CCP_ACL Category=0 access-list 108 permit ip any host 10.10.10.40 --More-- access-list 109 remark CCP_ACL Category=0 access-list 109 permit ip any host 10.10.10.60 access-list 110 remark CCP_ACL Category=0 access-list 110 permit ip any host 10.10.10.40 access-list 111 remark CCP_ACL Category=0 access-list 111 permit ip any host 10.10.10.60 access-list 112 remark CCP_ACL Category=0 access-list 112 permit ip any host 10.10.10.60 access-list 113 remark CCP_ACL Category=0 access-list 113 permit ip any host 10.10.10.40 access-list 114 remark CCP_ACL Category=0 access-list 114 permit ip any host 10.10.10.40 access-list 115 remark CCP_ACL Category=0 access-list 115 permit ip any host 10.10.10.40 access-list 116 remark CCP_ACL Category=0 access-list 116 permit ip any host 10.10.10.40 access-list 117 remark CCP_ACL Category=0 access-list 117 permit ip any host 10.10.10.60 no cdp run ! ! ! --More-- ! control-plane ! banner exec ^C % Password expiration warning. ----------------------------------------------------------------------- Cisco Configuration Professional (Cisco CP) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command. username privilege 15 secret 0 Replace and with the username and password you want to use. ----------------------------------------------------------------------- --More-- ^C banner login ^C Any use of the MARKONHQ consents to monitorring and logging by MARKON IT Administrators. YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN CREDENTIALS IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF. For more information about Cisco CP please follow the instructions in the QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp ----------------------------------------------------------------------- ^C ! line con 0 no modem enable line aux 0 line 2 --More-- no activation-character no exec transport preferred none transport input all line vty 0 4 access-class 23 in transport input telnet ssh ! scheduler max-task-time 5000 end
First thing, it looks like you don't know how to tftp the config. I would suggest backing up your config with the Solar Windws tftp server (it's free, as in beer).
Second, it looks like you left a lot of info in your config file. I removed the passwords, the external IPs, and a few other bits.
Execute the following command on your router:
copy running-config tftp
Now stop the tftp server on your pc.
More info on tftp and ios configs.
Also since you are just getting started. Make sure to take a look at the NSA Router Configuration Guides. These are free (as in taxes) as well, and will help you configure your router in a secure manner.
I am not quite sure what you want, but if you just want to map port 80 of an external to ip to an internal ip port 80. I think you pretty much have it, but I think you might just need to change:
to
But besides this, if this is production, once you have it working the way you think you want. You might want to pay a consultant to come in and check your work, it doesn't get much more important than the router.
You already have the correct statement for forwarding tcp port 80, which is:
You're probably getting blocked by firewall rules. I'm not familiar with the zone security stuff (I use access-lists), but you might want to try using the external IP address instead of the internal IP address on the ACLs associated with inbound http.