• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 895
  • Last Modified:

Configure Cisco for RWW and OWA

Need help in setting up Cisco for Remote Web workplace and Outlook Web Access.
I have setup port forwarding by using this command (correct me if im wrong):

ip nat inside source static tcp <internal server IP> 443 interface Ethernet1 443
ip nat inside source static tcp <internal server IP> 80 interface Ethernet1 80
ip nat inside source static tcp <internal server iP> 4125 interface Ethernet1 4125

we have setup the FQDN.
and when i try to access RWW or OWA externally, it doesnt open.
on the cisco logs. i see the public ip of the external computer that i use to check if its working from the outside. but its not getting thru.

the log is: list 101 denied tcp <public ip of external computer> (58694) -> <public IP of server>(443), 1 packet

i read something that i need to allow traffic using ACL??

i dont know much about cisco, so it would be nice if i can have full instructions on how to set this up.

thanks in advance!
0
andrew_transparent
Asked:
andrew_transparent
  • 6
  • 5
  • 3
1 Solution
 
JFrederick29Commented:
Try adding this:

conf t
ip access-list extended 101
no deny ip any any
permit tcp any interface ethernet1 eq 443
permit tcp any interface ethernet1 eq 80
permit tcp any interface ethernet1 eq 4125
deny ip any any

If that doesn't work, post the contents of access-list 101...
0
 
damalanoCommented:
if i am correct in the configuration there is an access-list 101.
use the cli and do a show running ( then you will see.
copy the whole of access-list 101
and ad the following : ( not at the botom or after deny any any)

access-list 101 permit foo-bar
access-list 101 permit tcp any any eq 443  
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 4125
access-list 101 deny any any

don't forget to replace the whole access-list ( so use no access-list 101 and than past the new access-list )

go to www.grc.com and check with Shields up ! if the ports are open

Good luck



0
 
JFrederick29Commented:
Sorry, too much PIX/ASA work lately.  The interface keyword isn't valid so either use "any" for the destination like in damalano's example or specify the "ethernet1" interface IP address (just be aware if it changes, it will break).
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
andrew_transparentAuthor Commented:
hey jfrederick29,

ok, i tried doing that but when i enter the "permit tcp any interface ethernet1 eq 443" i get a "invalid input detected at ^ marker on the "interface"

what command do i enter to show the contents of access-list 101 ??

tnx
0
 
andrew_transparentAuthor Commented:
oooopsss... didnt see that you replied with that error already..
ok will try that.
0
 
andrew_transparentAuthor Commented:
still can't access RWW or OWA externally

does the "list 101 denied to <external public IP> -> <server public ip> means that its getting to the router but not getting pass thru it?


0
 
JFrederick29Commented:
Yeah, the access-list is denying it.

Post a "show access-list 101"
0
 
damalanoCommented:
can you past access-list 101 completely ?

i'm afraid you have an earlier deny.
0
 
damalanoCommented:
are we keeping this up JFrederick29 ? LOL
0
 
andrew_transparentAuthor Commented:
Extended IP access list 101

10 permit tcp any any eq 3389 (30217 matches)
    20 permit tcp any any eq telnet (507 matches)
    30 permit icmp any any administratively-prohibited (3 matches)
    40 permit icmp any any echo (202641 matches)
    50 permit icmp any any echo-reply
    60 permit icmp any any packet-too-big
    70 permit icmp any any time-exceeded (90 matches)
    80 permit icmp any any traceroute
    90 permit icmp any any unreachable (408 matches)
    100 permit udp any eq bootps any eq bootpc (3269523 matches)
    110 permit udp any eq bootps any eq bootps
    120 permit udp any eq domain any (36 matches)
    130 permit esp any any (6213361 matches)
    140 permit udp any any eq isakmp (1261175 matches)
    150 permit udp any any eq 10000
    160 permit tcp any any eq 1723
    170 permit tcp any any eq 139 (22404 matches)
    180 permit udp any any eq netbios-ns (8529 matches)
    190 permit udp any any eq netbios-dgm
    200 permit gre any any
    210 deny ip any any log (134270 matches)
    220 permit tcp any 172.17.0.0 0.0.255.255 established
    240 permit tcp any any eq 443
    250 permit tcp any any eq 4125
    260 permit tcp any any

here's the access-list 101
0
 
JFrederick29Commented:
Okay do this:

ip access-list extended 101
no deny ip any any log
permit tcp any any eq 443
permit tcp any any eq 80
permit tcp any any eq 4125
deny ip any any log

If that still doesn't fix it:

Do this:

ip access-list extended 101
no 210
permit tcp any any eq 443
permit tcp any any eq 80
permit tcp any any eq 4125
deny ip any any log
0
 
andrew_transparentAuthor Commented:
ok its working now!!!

so what does the "no deny ip any any log" and "deny ip any any log" do?

0
 
andrew_transparentAuthor Commented:
hey jfrederick29,

maybe you can answer my other question?
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23782422.html

tnx
0
 
JFrederick29Commented:
It is all about ordering in the access-list so if you don't first remove the deny, the permits will be inserted under the deny and never matched.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now