Need help on NAT.

Similar Messages

• Need help opening NAT type to OPEN on a model WRT54GS router for xbox 360

  I have tried from other people's advice and when i test Xbox Live i always get a Moderate NAT type. I am becoming frustrated with how it is not working and I am hoping someone can help me. Please leave advice/suggestions and thank you for your time.

  Open the setup page of the router using 192.168.1.1 by putting the password as admin with username as blank & click the Administration tab & on the same page you will see UPNP.You need to select it as disable in order to help opening NAT type to OPEN.

• Need Help Opening Nat for Xbox 360

  I've searched these threads and found some solutions but it looks like my router's homepage has been updated and I cannot find some of the options needed. Anyone have an updated soultion for opening an xbox nat to open?
  Thanks!

  What is the brand and model of this router?
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

• Need help opening nat

  It seems that everytime i call, the techs dont know what im talking about. So i'm gonna ask you guys, how do i open the NAT on my westell 7500 modem/router

  #1 For what?
  A game console (for example an xbox), a Web Server, a FTP Server?
  #2 If game console, for only one of them OR least two?
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

• Need help changing NAT type (3 -- 2)

  Dear,
  I'm new to this forum so forgive me if this is misplaced 
  Before I bought my router the NAT type was 2 which was fine. Using this router it's NAT type 3 which makes online matchmaking difficult (PS3).
  I would like to change it to NAT type 2 but I don't have any experience with ports and changing settings in a router. So if anyone of you could help me out that would be great! 
  Router:
  Model number: WRT120N
  Version: 1.0
  Model name: Wireless-N Home router
  Thanks

  Try upgrading the firmware of the router first. for instructions, try this
  Then, do the port forwarding of port triggering. These links might help you with it:
  Differences between Port Forwarding and Port Triggering
  How to Set up Port Forwarding for Game Consoles and other Devices on your Valet or Linksys Wireless-...
  How to Set up Port Triggering for Game consoles and other devices on your Valet or Linksys Wireless-...

• Need help for NAT, ACL for VoIP

  Dear experts
  I configure my PBX server to work with one VoIP provider. When I put the server in blank network, mean that without VLANs.
  The IP PBX server can register to the VoIP provider system normally and I can make call out and receive calls normally.
  However,  when I put the PBX behind the Cisco router with some configuration. The  PBX cannot register with the VoIP provider system.
  Eventhough I can receive calls from outside but can not make a call from inside to outside, because of the PBX cannot register.
  Could you please help me to point out what is wrong with my Cisco router configuration.
  Thanks a lot
  Building configuration...
  Current configuration : 1982 bytes
  ! Last configuration change at 17:18:27 UTC Mon Feb 24 2014
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$ZJEF$8np0QvQTD1nTaOosa9yGW1
  no aaa new-model
  memory-size iomem 20
  no ipv6 cef
  ip source-route
  ip cef
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  license udi pid CISCO2911/K9 sn FTX1603AH9C
  interface Embedded-Service-Engine0/0
  no ip address
  interface GigabitEthernet0/0
  description internal-LAN
  ip address x.x.x.4 255.255.0.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/1.1
  encapsulation dot1Q 11
  ip address 172.x.x.1 255.255.240.0
  interface GigabitEthernet0/2
  description internet
  ip address 50.x.x.93 255.255.x.x
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 100 interface GigabitEthernet0/2 overload
  ip nat inside source static udp x.x.x.8 5060 50.x.x.93 5060 extendable
  ip route profile
  ip route 0.0.0.0 0.0.0.0 50.x.x.94
  ip route 172.16.240.0 255.255.x.0 x.x.x.5
  ip route 172.16.242.0 255.255.x.0 x.x.x.5
  access-list 100 permit ip x.x.0.0 0.0.255.255 any
  access-list 100 permit ip 172.16.240.0 0.0.0.255 any
  access-list 100 permit ip 172.16.242.0 0.0.0.255 any
  access-list 100 permit udp any any range 5004 5090
  access-list 100 permit udp any any range 10000 20000
  control-plane
  line con 0

  Hello.
  Do you have the same static NAT mapping for TCP 5060?

• Needs help on NAT

  global (outside) 2 interface
  nat (inside) 2 access-list dmz
  access-list dmz permit ip 21.21.0.0 255.255.0.0
  nat (inside) 0 0.0.0.0 0.0.0.0
  static(inside,outside) 3.3.3.0 3.3.3.0 netmask 255.255.255.0
  static(inside,outside) 3.3.4.0 3.3.4.0 netmask 255.255.255.0
  The problem here is I am unable to translate the 21.21.0.0 network to its global interface address.
  Is the nat (inside) 0 0.0.0.0 0.0.0.0 the cause for not able to translate? Is it safe to remove this command?
  thanks,

  Hello Kope,
  Yes, that is the cause of the issue, please remove it!
  Removing this you will start making translation from the inside of your ASA, that is all that is going to change.
  Regards,
  Do rate helpful posts
  Julio

• Need help with setting up 2 xboxs to open NATS with my Cisco DPC3825

  Hey,
  I have 2 xboxs, 1 is wired and one has the microsoft adapter for wireless.. I have been searching tons of forums to try to solve this issue, and I'm at my end if it! I really need both my nats open, so far I can get 1 nat open while the other one is strict. I have a Cisco DPC3825. Any help would be great!! Thanks!

  Hi Casteel,
  Thank you for your question.  However this community is for Cisco Small Business Products and the DPC3825 is not a Cisco Small Business Product.
  Your product is an internet service provider (ISP) supported  product.  In otherwords you need to  contact your ISP or technology  reseller that you purchased this from to help you with your question.
  Regards,
  Cindy  Toy
  Cisco Small Business  Community Manager
  for Cisco Small  Business Products
  www.cisco.com/go/smallbizsupport

• I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

  I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
  I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
  I need to allow the following IP addresses to have RDP access to my server:
  66.237.238.193-66.237.238.222
  69.195.249.177-69.195.249.190
  69.65.80.240-69.65.80.249
  My external WAN server info is - 99.89.69.333
  The internal IP address of my server is - 192.168.6.2
  The other server shows up as 99.89.69.334 but is working fine.
  I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
  THE FOLLOWING IS MY CONFIGURATION FILE
  Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
  Also the bolded lines are the modifications I made but that arent working.
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password DowJbZ7jrm5Nkm5B encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.6.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 99.89.69.233 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group network EMRMC
  network-object 10.1.2.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.11.0 255.255.255.0
  network-object 172.16.0.0 255.255.0.0
  network-object 192.168.9.0 255.255.255.0
  object-group service RDP tcp
  description RDP
  port-object eq 3389
  object-group service GMED tcp
  description GMED
  port-object eq 3390
  object-group service MarsAccess tcp
  description MarsAccess
  port-object range pcanywhere-data 5632
  object-group service MarsFTP tcp
  description MarsFTP
  port-object range ftp-data ftp
  object-group service MarsSupportAppls tcp
  description MarsSupportAppls
  port-object eq 1972
  object-group service MarsUpdatePort tcp
  description MarsUpdatePort
  port-object eq 7835
  object-group service NM1503 tcp
  description NM1503
  port-object eq 1503
  object-group service NM1720 tcp
  description NM1720
  port-object eq h323
  object-group service NM1731 tcp
  description NM1731
  port-object eq 1731
  object-group service NM389 tcp
  description NM389
  port-object eq ldap
  object-group service NM522 tcp
  description NM522
  port-object eq 522
  object-group service SSL tcp
  description SSL
  port-object eq https
  object-group service rdp tcp
  port-object eq 3389
  access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
  access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
  access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
  access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
  access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.6.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 68.156.148.5
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 1
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  tunnel-group 68.156.148.5 type ipsec-l2l
  tunnel-group 68.156.148.5 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
  : end
  ciscoasa(config-network)#

  Unclear what did not work.  In your original post you include said some commands were added but don't work:
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  and later you state you add another command that gets an error:
  static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
  You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
  The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
  Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

• Need help for access list problem

  Cisco 2901 ISR
  I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
  I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
  Anybody can help?
           DENY       10.25.0.1 – 10.25.0.255
                            10.25.1.1 – 10.25.1.255
  Permit only 1 host for Internet
                  10.25.7.136  255.255.255.192 ------ TMG Server
  Using access-list.
  ( Current configuration  )
  object-group network IP
  description Block_IP
  range 10.25.0.2 10.25.0.255
  range 10.25.1.2 10.25.1.255
  interface GigabitEthernet0/0
  ip address 192.168.2.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in max-fragments 64 max-reassemblies 256
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description ### ADSL WAN Interface ###
  no ip address
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface ATM0/0/0
  no ip address
  no atm ilmi-keepalive
  interface Dialer1
  description ### ADSL WAN Dialer ###
  ip address negotiated
  ip mtu 1492
  ip nat outside
  no ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
  ip nat inside source list 101 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.25.0.0 255.255.0.0 192.168.2.1
  access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  access-list 105 deny   ip object-group IP any
  From the 4500 Catalyst switch
  ( Current Configuration )
  interface GigabitEthernet0/48
  no switchport
  ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
  ip route 0.0.0.0 0.0.0.0 192.168.2.3

  Hello,
  Host will can't get internet connection
  I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  and change the configuration ....      ip access-list extended 101
                                                              5 permit ip host 10.25.7.136 any
  In this case I will allow only host 10.25.7.136 but it isn't work.
  No internet connection from the TMG Server.

• Need help Setting up Multiple Static Ip , 1 for each port of the fios router

  Need help Setting up multiple Static Ip on my fios router
  I have been trying to figure out how to set up multiple ip in my fios router.
  However I kind of managed how to set up multiple static ip However the way I want it is for each port of my router to have an external ip signed to it. ( like 4 different modem in 1 )
  Verizon gave me 5 static ip but they can not help me how to set it up.
  Have anyone here done more then one static ip on different ports? I assume that the process will be the after the second static ip.

  You want to set up Static Nat. You will not assign the IP to a port, but rather to a local machine. Figure out what machines you want your IP's to go to. Under the firewall section you will see static nat. Pick the machine you want and enter one of the IP's you were assigned.

• Help: Strict NAT 360 Xbox WRT54Gv2 Wired

  Need help opening the NAT settings on the router. I have 2 xboxs wired to the router. I am able to get an open NAT on either 1 of the 2 xboxs, but never both at the same time. Seems like the port forwarding only works on the first static IP entered on the router setup. The DMZ settings sometimes provide for a moderate NAT, but never lasts. Have read many posts and tried several settings.

  How you have configured the settings on your Router and on XBOX? Have you assigned Static IP to your XBOX or your XBOX getting IP address from the Routers DHCP ?
  If you have already assigned Static IP to your both the XBOX and already Opened Ports and still its not working, then you can try to Upgrade the firmware of your Router. 
  Once you upgrade the firmware on your Router, then you need to reset your router and re-configure all the settings on it from scratch. 

• Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

  Hi All,
  I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
  2811 having C2800NM-ADVIPSERVICESK9-M
  2811 router connects to the Internet SW then connects to the Internet router.
  Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
  Below is router config for VPN & NAT
  crypto keyring ISR_Keyring
    pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp keepalive 10
  crypto isakmp profile isa-profile
     keyring ISR_Keyring
     self-identity user-fqdn [email protected]
     match identity user vpn-proxy.websense.net
  crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
  crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
  set peer vpn.websense.net dynamic
  set transform-set ESP-NULL-SHA
  set isakmp-profile isa-profile
  match address 101
  interface FastEthernet0/1
  description connected to Internet
  ip address 216.222.208.101 255.255.255.128
  ip access-group HVAC_Public in
  ip nat outside
  ip virtual-reassembly
  duplex full
  speed 100
  no cdp enable
  crypto map GUEST_WEB_FILTER
  access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
  access-list 103 permit ip 192.168.8.0 0.0.3.255 any
  ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
  ip nat inside source list 103 interface FastEthernet0/1 overload
  ip nat inside source route-map nonat pool mypool overload

  How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
  Check
  show crypto isakmp sa
  show crypto ipsec sa
  show crypto session
  You'd better remove the preshared key from your post.

• Need an open NAT for 3 consoles and computer

  Have 2 Xbox 360's Ps3 and cant get aOpen NAT on any of them. I have done what I needed to do for the open but both xboxs read Moderate or strict Nat rating and the same for the Ps3. I need help. I am using a E1000 Linksys Router.

  Well it is not recommended to play two (2) Xbox 360® units on the same network connected to the same game server since the modem will only generate a single WAN IP address. But still you can do certain settings on router to make (2) Xbox 360 working. 
  Here is the link which can help you in opening NAT: http://www6.nohold.net/Cisco2/ukp.aspx?pid=93&login=1&vw=1&app=search&articleid=23787&userrole=Links... 

• Need Help for redirect to HTTPS

  Hello forum members,
  i have difficulty while configuring http to https while accessing specific url.
  the case:
  i have www.foo-bar.com.god in http, in the web page there is www.foo-bar.com.god/trust/* that must be accessing in https
  is there any spesific line of config to apply in my config,
  my config is below.
  ### start
  access-list INBOUND line 8 extended permit ip any any
  parameter-map type http PERSISTENCE-REBALANCE
  persistence-rebalance
  parameter-map type ssl SSL_END_to_END
    cipher RSA_WITH_RC4_128_SHA priority 10
    cipher RSA_WITH_3DES_EDE_CBC_SHA priority 7
    cipher RSA_WITH_AES_128_CBC_SHA priority 9
    cipher RSA_WITH_AES_256_CBC_SHA priority 8
    session-cache timeout 600
  rserver host PORTAL-A
  ip address 10.49.30.200
  inservice
  action-list type modify http FORCE-HTTPS
  ssl url rewrite location "www\.foo\-\bar\.com\.god\trust\*"
  header insert  response Cache-Control header-value "private, no-cache, no-store, must-revalidate"
  header rewrite response Server header-value "" replace "BLANK"
  serverfarm host PORTAL-SFARM
  rserver PORTAL-A 80
     inservice
  ssl-proxy service PORTAL-CERT
  key portal.key
  cert portal.crt
  sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM
  replicate sticky
  serverfarm PORTAL-SFARM
  class-map match-all SSL-VIP
  2 match virtual-address 10.49.30.230 tcp eq https
  class-map match-all HTTP-VIP
  2 match virtual-address 10.49.30.230 tcp eq www
  class-map type management match-any remote_access
  202 match protocol icmp any
  204 match protocol ssh any
  207 match protocol snmp any
  208 match protocol telnet any
  209 match protocol http any
  210 match protocol https any
  211 match protocol xml-https any
  policy-map type management first-match management
  class remote_access
     permit
  policy-map type loadbalance first-match LB-PORTAL-L7-POLICY
  class class-default
     sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM
     action FORCE-HTTPS
  policy-map multi-match LB-PORTAL-L4-POLICY
  class SSL-VIP
     loadbalance vip inservice
     loadbalance policy LB-PORTAL-L7-POLICY
     loadbalance vip icmp-reply
     nat dynamic 1 vlan 260
     appl-parameter http advanced-options PERSISTENCE-REBALANCE
     ssl-proxy server PORTAL-CERT
  interface vlan 260
  description "User-Access"
  ip address 10.49.30.231 255.255.255.192
  peer ip address 10.49.30.232 255.255.255.192
  access-group input INBOUND
  nat-pool 1 10.49.30.252 10.49.30.252 netmask 255.255.255.255
  service-policy input management
  service-policy input LB-PORTAL-L4-POLICY
  no shutdown
  ### End
  need for review the config
  thanks and regards
  hamzah

  Hi Singh,
  thank you for reply,
  i just change the config so hope fully the web can redirecting properly.
  but when i apply the config, the Browser say, the connection was reset.
  Need help
  here is my full config
  crypto chaingroup portal-verySign
    cert portal.pem
  access-list everyone line 8 extended permit ip any any
  rserver host PORTAL-A
    ip address 10.49.30.200
    inservice
  rserver redirect PORTAL_REDIR_HTTPS
    webhost-redirection https://%h%p 302
    inservice
  serverfarm redirect PORTAL_HTTPS_SFARM
    rserver PORTAL_REDIR_HTTPS
      inservice
  serverfarm host WWW_PORTAL_SFARM
    rserver PORTAL-A 80
      inservice
  parameter-map type http PERSISTENCE-REBALANCE
    persistence-rebalance
  parameter-map type ssl SSL_END_to_END
    cipher RSA_WITH_RC4_128_SHA priority 10
    cipher RSA_WITH_3DES_EDE_CBC_SHA priority 7
    cipher RSA_WITH_AES_128_CBC_SHA priority 9
    cipher RSA_WITH_AES_256_CBC_SHA priority 8
    session-cache timeout 600
  sticky http-cookie PORTAL-STICKY STICKY-PORTAL-1
    serverfarm WWW_PORTAL_SFARM
  sticky ip-netmask 255.255.255.255 address source SOURCEIP-STICKY-HTTP-SFARM
    replicate sticky
    serverfarm WWW_PORTAL_SFARM
  action-list type modify http HTTP_MODIFICATION
    header insert request X-Forwarded-Proto header-value "%pd"
    header insert request Via header-value "1.1 web:%pd"
    header insert response Via header-value "1.1 web:ps"
    ssl url rewrite location ".*"
    ssl header-insert session Id
  ssl-proxy service CLIENT_PORTAL
    ssl advanced-options SSL_END_to_END
  ssl-proxy service SERVER_PORTAL
    key portal-key.pem
    cert portal.pem
    chaingroup portal-verySign
    ssl advanced-options SSL_END_to_END
  class-map type http loadbalance match-any PORTAL-SSL
    2 match http url .*
  class-map match-all VIP-SSL-PORTAL
    2 match virtual-address 10.49.30.230 tcp eq https
  class-map match-all VIP-WWW-PORTAL
    2 match virtual-address 10.49.30.230 tcp eq www
  policy-map type loadbalance first-match PORTAL_HTTPS_DEFAULT
    class class-default
      compress default-method gzip
      sticky-serverfarm SOURCEIP-STICKY-HTTP-SFARM
      action HTTP_MODIFICATION
      ssl-proxy client CLIENT_PORTAL
  policy-map type loadbalance first-match PORTAL_HTTP_DEFAULT
    class class-default
      serverfarm PORTAL_HTTPS_SFARM
  policy-map multi-match L4_PORTAL_LB
    class VIP-WWW-PORTAL
      loadbalance vip inservice
      loadbalance policy PORTAL_HTTP_DEFAULT
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 260
    class VIP-SSL-PORTAL
      loadbalance vip inservice
      loadbalance policy PORTAL_HTTPS_DEFAULT
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 260
      appl-parameter http advanced-options PERSISTENCE-REBALANCE
      ssl-proxy server SERVER_PORTAL
  interface vlan 260
    description User-Access
    ip address 10.49.30.231 255.255.255.192
    peer ip address 10.49.30.232 255.255.255.192
    access-group input everyone
    nat-pool 1 10.49.30.252 10.49.30.252 netmask 255.255.255.255
    service-policy input L4_PORTAL_LB
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.49.30.195
  ip route 10.0.0.0 255.255.255.0 10.49.30.193
  need your advice