Solved

Cisco 2620 HTTPS outgoing not working

Posted on 2006-11-20
2
282 Views
Last Modified: 2012-05-05
We have a network with about 50 client machines going to a Watchguard firewall, which then connects to a Cisco 2620, which then goes on to the internet over a 3.0 multilink frame-relay.

We recently switched from a different 2620 we had been using that did not support the multilink.  We pretty much copied the config straight over, making the appropriate changes to support the multilink features.  Everything is working EXCEPT we are unable to make outbound HTTPS (port 443) connections.  Incoming connections to our web server still work fine.

I am fairly certain it is NOT the firewall, because we have an outgoing HTTPS policy setup, and on the firewall logs I can specifically see that it is allowing the port 443 connection and passing the connection off to the router.  When trying to access an HTTPS website from a browser, the browser simply reports that the host is unvavilable.  We have tested this with several sites (banks, other secure sites) so we know it's a problem on our network.  

Here's the current config from our router:

Current configuration : 1064 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXX
enable password XXXX
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface MFR0
 no ip address
 encapsulation frame-relay IETF
 load-interval 30
 frame-relay lmi-type ansi
!
interface MFR0.753 point-to-point
 ip address XX.XX.XX.XX 255.255.255.252
 no cdp enable
 frame-relay interface-dlci 753 IETF
!
interface FastEthernet0/0
 ip address YY.YY.YY.YY 255.255.255.192
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
!
interface Serial0/0
 no ip address
 encapsulation frame-relay MFR0
 no arp frame-relay
!
interface Serial0/1
 no ip address
 encapsulation frame-relay MFR0
 no arp frame-relay
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
!
!
no cdp run
!
!
!
!
!
!
!
line con 0
line aux 0
 transport input all
line vty 0 4
 password XXXX
 login
!
!
end
0
Comment
Question by:njovin
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
ID: 17982474
I don't see anything in the configuration of the 2620 that would be causing an issue...

A few things to try:

From a desktop, can you telnet to an HTTPS site using 443 by domain name or IP address?  If not...

From the 2620, can you telnet to a site on port 443?  Can you telnet to a site on port 443 when sourcing from Fa0/0?

telnet <https site ip address> 443
telnet <https site ip address> 443 /so fa0/0

If you have or can put a laptop/PC in between the 2620 and Firewall (addressed with a public IP from the YY.YY.YY.YY 255.255.255.192 subnet and the 2620 as it's default gateway), can you browse HTTPS websites?
0
 
LVL 3

Author Comment

by:njovin
ID: 17982656
In the interim of posting the question and JFRED responding, I did, in fact, put a PC between the router and firewall and WAS able to get out on 443.  So it turns out the problem is not in the router but in the firewall.  It's VERY strange, because the firewall is expressly logging allows, but the traffic is not going through.  
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now