Port 80 on Cisco 2801 not forwarding

[LostForWords]

I am working on setting up a Cisco 2801 for a company. The router is doing everything the customer wants it to do but one thing,
forwarding port 80 to a web server on an internal IP. All other port forwarding is working at this point. Whenever the customer
goes to their web site it brings up the SDM login prompt. I removed the sdm.tar and sdmconfi-2801.cfg from the flash but SDM
express still appears rather than the web page. When I turn off the http server the web browser states that there was a problem
loading the page. I am posting the lower half of the config file below, please note that the X.X.X.X is my public IP just censored.
If anyone feels that the whole config is needed to help me then I will post it.


!
interface FastEthernet0/0
description $ETH-WAN$
ip address X.X.X.X 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip virtual-reassembly
no ip split-horizon
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.5.5.1 255.255.255.0 secondary
ip address 10.5.2.2 255.255.255.0 secondary
ip address 10.5.3.1 255.255.255.0 secondary
ip address 10.5.4.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.0.0 secondary
ip address 10.5.10.2 255.255.255.0 secondary
ip address 10.5.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
!
interface FastEthernet0/1.920
encapsulation dot1Q 920
ip address 192.168.1.1 255.255.255.248
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
!
interface Vlan1
no ip address
!
!
interface Vlan920
no ip address
!
router rip
version 2
passive-interface FastEthernet0/0
network X.X.X.X
network X.X.X.X
network X.X.X.X
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
!
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.5.0.23 25 X.X.X.X 25 extendable
ip nat inside source static tcp 10.5.0.33 53 X.X.X.X 53 extendable
ip nat inside source static udp 10.5.0.33 53 X.X.X.X 53 extendable
ip nat inside source static tcp 10.5.0.23 80 X.X.X.X 80 extendable
ip nat inside source static tcp 10.5.0.23 82 X.X.X.X 82 extendable
ip nat inside source static tcp 10.5.0.23 110 X.X.X.X 110 extendable
ip nat inside source static tcp 10.5.0.23 3389 X.X.X.X 3389 extendable
ip nat inside source static tcp 10.5.0.106 3390 X.X.X.X 3390 extendable
ip nat inside source static tcp 10.5.0.26 3391 X.X.X.X 3391 extendable
!
access-list 101 permit ip 10.5.0.0 0.0.0.255 10.5.2.0 0.0.0.255
access-list 102 remark SDM_ACL Category=20
access-list 102 permit ip 10.5.0.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 102 permit ip 10.5.3.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 103 permit ip 10.5.0.0 0.0.0.255 10.5.10.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip 10.5.3.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 104 deny ip 10.5.0.0 0.0.0.255 10.5.10.0 0.0.0.255
access-list 104 deny ip 10.5.0.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 104 deny ip 10.5.0.0 0.0.0.255 10.5.2.0 0.0.0.255
access-list 104 permit ip 10.5.3.0 0.0.0.255 any
access-list 104 permit ip 10.5.4.0 0.0.0.255 any
access-list 104 permit ip 10.5.5.0 0.0.0.255 any
access-list 104 permit ip 10.10.0.0 0.0.255.255 any
access-list 104 permit ip 10.5.0.0 0.0.0.255 any
access-list 104 permit ip 10.5.10.0 0.0.0.255 any
access-list 104 permit ip 10.5.2.0 0.0.0.255 any
access-list 104 permit tcp any any eq www
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
!
!

 

[brianinms]

Did you remove both

ip http server
ip http secure-server

 

[jedi1337]

Same issue as OP, and in my case even with ip http server/secure server off it doesnt work

 

[LostForWords]

I did turn off both the ip http server and the ip http secure-server.

To turn them off I just used the "no" command.

 

[brianinms]

Weird, I have a 2801 in my home lab ... I will give it a try this evening. What version of code are you running?

 

[brianinms]

I tried it in my home lab and it works just fine either way I configured nat. I am running 12.4.13 advanced security on my 2801. The outside connects to a layer 3 switch and the inside connects directly to a pc with the ip 192.0.2.2 and is running HFS which is a small http server I use for testing.

Personally when using the routers ip address I like to use the physical interface "interface f0/0" in my nat versus the IP. It's the way it has to work on the pix and thus I stuck with it on the routers.

See examples below.

Example 1.


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool data
network 192.0.2.0 255.255.255.0
default-router 192.0.2.1
domain-name example.loc
!
!
!
interface FastEthernet0/0
description outside
ip address 10.255.255.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.0.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/3/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.255.255.1
!
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.0.2.2 80 interface FastEthernet0/0 80
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 100 permit ip 192.0.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 100
!

line con 0
line aux 0
line vty 0 4
login
!
end


Example 2:

Router#show run
Building configuration...

Current configuration : 1238 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef

no ip dhcp use vrf connected
!
ip dhcp pool data
network 192.0.2.0 255.255.255.0
default-router 192.0.2.1
domain-name example.loc

interface FastEthernet0/0
description outside
ip address 10.255.255.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.0.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/3/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.255.255.1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.0.2.2 80 10.255.255.20 80 extendable
!
access-list 100 permit ip 192.0.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

 

[LostForWords]

I am running C2801-ADVSECURITYK9-M Version 12.4(6)T as my IOS.

Also here is a copy of what is in my flash, I may not have removed all of the files i needed to.

-#- --length-- -----date/time------ path
1 1038 May 17 2011 15:20:06 +00:00 home.shtml
2 112640 May 17 2011 15:20:08 +00:00 home.tar
3 1505280 May 17 2011 15:20:10 +00:00 common.tar
4 931840 May 17 2011 15:20:28 +00:00 es.tar
5 21201044 May 17 2011 16:35:56 +00:00 c2801-advsecurityk9-mz.124-6.T.bin
6 8792 Jun 27 2011 20:13:22 +00:00 start