andrew_transparent
asked on
Configure Cisco for RWW and OWA
Need help in setting up Cisco for Remote Web workplace and Outlook Web Access.
I have setup port forwarding by using this command (correct me if im wrong):
ip nat inside source static tcp <internal server IP> 443 interface Ethernet1 443
ip nat inside source static tcp <internal server IP> 80 interface Ethernet1 80
ip nat inside source static tcp <internal server iP> 4125 interface Ethernet1 4125
we have setup the FQDN.
and when i try to access RWW or OWA externally, it doesnt open.
on the cisco logs. i see the public ip of the external computer that i use to check if its working from the outside. but its not getting thru.
the log is: list 101 denied tcp <public ip of external computer> (58694) -> <public IP of server>(443), 1 packet
i read something that i need to allow traffic using ACL??
i dont know much about cisco, so it would be nice if i can have full instructions on how to set this up.
thanks in advance!
I have setup port forwarding by using this command (correct me if im wrong):
ip nat inside source static tcp <internal server IP> 443 interface Ethernet1 443
ip nat inside source static tcp <internal server IP> 80 interface Ethernet1 80
ip nat inside source static tcp <internal server iP> 4125 interface Ethernet1 4125
we have setup the FQDN.
and when i try to access RWW or OWA externally, it doesnt open.
on the cisco logs. i see the public ip of the external computer that i use to check if its working from the outside. but its not getting thru.
the log is: list 101 denied tcp <public ip of external computer> (58694) -> <public IP of server>(443), 1 packet
i read something that i need to allow traffic using ACL??
i dont know much about cisco, so it would be nice if i can have full instructions on how to set this up.
thanks in advance!
if i am correct in the configuration there is an access-list 101.
use the cli and do a show running ( then you will see.
copy the whole of access-list 101
and ad the following : ( not at the botom or after deny any any)
access-list 101 permit foo-bar
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 4125
access-list 101 deny any any
don't forget to replace the whole access-list ( so use no access-list 101 and than past the new access-list )
go to www.grc.com and check with Shields up ! if the ports are open
Good luck
use the cli and do a show running ( then you will see.
copy the whole of access-list 101
and ad the following : ( not at the botom or after deny any any)
access-list 101 permit foo-bar
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 4125
access-list 101 deny any any
don't forget to replace the whole access-list ( so use no access-list 101 and than past the new access-list )
go to www.grc.com and check with Shields up ! if the ports are open
Good luck
Sorry, too much PIX/ASA work lately. The interface keyword isn't valid so either use "any" for the destination like in damalano's example or specify the "ethernet1" interface IP address (just be aware if it changes, it will break).
ASKER
hey jfrederick29,
ok, i tried doing that but when i enter the "permit tcp any interface ethernet1 eq 443" i get a "invalid input detected at ^ marker on the "interface"
what command do i enter to show the contents of access-list 101 ??
tnx
ok, i tried doing that but when i enter the "permit tcp any interface ethernet1 eq 443" i get a "invalid input detected at ^ marker on the "interface"
what command do i enter to show the contents of access-list 101 ??
tnx
ASKER
oooopsss... didnt see that you replied with that error already..
ok will try that.
ok will try that.
ASKER
still can't access RWW or OWA externally
does the "list 101 denied to <external public IP> -> <server public ip> means that its getting to the router but not getting pass thru it?
does the "list 101 denied to <external public IP> -> <server public ip> means that its getting to the router but not getting pass thru it?
Yeah, the access-list is denying it.
Post a "show access-list 101"
Post a "show access-list 101"
can you past access-list 101 completely ?
i'm afraid you have an earlier deny.
i'm afraid you have an earlier deny.
are we keeping this up JFrederick29 ? LOL
ASKER
Extended IP access list 101
10 permit tcp any any eq 3389 (30217 matches)
20 permit tcp any any eq telnet (507 matches)
30 permit icmp any any administratively-prohibite d (3 matches)
40 permit icmp any any echo (202641 matches)
50 permit icmp any any echo-reply
60 permit icmp any any packet-too-big
70 permit icmp any any time-exceeded (90 matches)
80 permit icmp any any traceroute
90 permit icmp any any unreachable (408 matches)
100 permit udp any eq bootps any eq bootpc (3269523 matches)
110 permit udp any eq bootps any eq bootps
120 permit udp any eq domain any (36 matches)
130 permit esp any any (6213361 matches)
140 permit udp any any eq isakmp (1261175 matches)
150 permit udp any any eq 10000
160 permit tcp any any eq 1723
170 permit tcp any any eq 139 (22404 matches)
180 permit udp any any eq netbios-ns (8529 matches)
190 permit udp any any eq netbios-dgm
200 permit gre any any
210 deny ip any any log (134270 matches)
220 permit tcp any 172.17.0.0 0.0.255.255 established
240 permit tcp any any eq 443
250 permit tcp any any eq 4125
260 permit tcp any any
here's the access-list 101
10 permit tcp any any eq 3389 (30217 matches)
20 permit tcp any any eq telnet (507 matches)
30 permit icmp any any administratively-prohibite
40 permit icmp any any echo (202641 matches)
50 permit icmp any any echo-reply
60 permit icmp any any packet-too-big
70 permit icmp any any time-exceeded (90 matches)
80 permit icmp any any traceroute
90 permit icmp any any unreachable (408 matches)
100 permit udp any eq bootps any eq bootpc (3269523 matches)
110 permit udp any eq bootps any eq bootps
120 permit udp any eq domain any (36 matches)
130 permit esp any any (6213361 matches)
140 permit udp any any eq isakmp (1261175 matches)
150 permit udp any any eq 10000
160 permit tcp any any eq 1723
170 permit tcp any any eq 139 (22404 matches)
180 permit udp any any eq netbios-ns (8529 matches)
190 permit udp any any eq netbios-dgm
200 permit gre any any
210 deny ip any any log (134270 matches)
220 permit tcp any 172.17.0.0 0.0.255.255 established
240 permit tcp any any eq 443
250 permit tcp any any eq 4125
260 permit tcp any any
here's the access-list 101
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok its working now!!!
so what does the "no deny ip any any log" and "deny ip any any log" do?
so what does the "no deny ip any any log" and "deny ip any any log" do?
ASKER
hey jfrederick29,
maybe you can answer my other question?
https://www.experts-exchange.com/questions/23782422/Configure-website-filtering-on-Cisco-router.html
tnx
maybe you can answer my other question?
https://www.experts-exchange.com/questions/23782422/Configure-website-filtering-on-Cisco-router.html
tnx
It is all about ordering in the access-list so if you don't first remove the deny, the permits will be inserted under the deny and never matched.
conf t
ip access-list extended 101
no deny ip any any
permit tcp any interface ethernet1 eq 443
permit tcp any interface ethernet1 eq 80
permit tcp any interface ethernet1 eq 4125
deny ip any any
If that doesn't work, post the contents of access-list 101...