Solved

Configure Cisco for RWW and OWA

Posted on 2008-10-02
14
879 Views
Last Modified: 2008-10-03
Need help in setting up Cisco for Remote Web workplace and Outlook Web Access.
I have setup port forwarding by using this command (correct me if im wrong):

ip nat inside source static tcp <internal server IP> 443 interface Ethernet1 443
ip nat inside source static tcp <internal server IP> 80 interface Ethernet1 80
ip nat inside source static tcp <internal server iP> 4125 interface Ethernet1 4125

we have setup the FQDN.
and when i try to access RWW or OWA externally, it doesnt open.
on the cisco logs. i see the public ip of the external computer that i use to check if its working from the outside. but its not getting thru.

the log is: list 101 denied tcp <public ip of external computer> (58694) -> <public IP of server>(443), 1 packet

i read something that i need to allow traffic using ACL??

i dont know much about cisco, so it would be nice if i can have full instructions on how to set this up.

thanks in advance!
0
Comment
Question by:andrew_transparent
  • 6
  • 5
  • 3
14 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22627112
Try adding this:

conf t
ip access-list extended 101
no deny ip any any
permit tcp any interface ethernet1 eq 443
permit tcp any interface ethernet1 eq 80
permit tcp any interface ethernet1 eq 4125
deny ip any any

If that doesn't work, post the contents of access-list 101...
0
 
LVL 4

Expert Comment

by:damalano
ID: 22627121
if i am correct in the configuration there is an access-list 101.
use the cli and do a show running ( then you will see.
copy the whole of access-list 101
and ad the following : ( not at the botom or after deny any any)

access-list 101 permit foo-bar
access-list 101 permit tcp any any eq 443  
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 4125
access-list 101 deny any any

don't forget to replace the whole access-list ( so use no access-list 101 and than past the new access-list )

go to www.grc.com and check with Shields up ! if the ports are open

Good luck



0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22627170
Sorry, too much PIX/ASA work lately.  The interface keyword isn't valid so either use "any" for the destination like in damalano's example or specify the "ethernet1" interface IP address (just be aware if it changes, it will break).
0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 22627183
hey jfrederick29,

ok, i tried doing that but when i enter the "permit tcp any interface ethernet1 eq 443" i get a "invalid input detected at ^ marker on the "interface"

what command do i enter to show the contents of access-list 101 ??

tnx
0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 22627191
oooopsss... didnt see that you replied with that error already..
ok will try that.
0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 22627261
still can't access RWW or OWA externally

does the "list 101 denied to <external public IP> -> <server public ip> means that its getting to the router but not getting pass thru it?


0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22627276
Yeah, the access-list is denying it.

Post a "show access-list 101"
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:damalano
ID: 22627298
can you past access-list 101 completely ?

i'm afraid you have an earlier deny.
0
 
LVL 4

Expert Comment

by:damalano
ID: 22627307
are we keeping this up JFrederick29 ? LOL
0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 22627309
Extended IP access list 101

10 permit tcp any any eq 3389 (30217 matches)
    20 permit tcp any any eq telnet (507 matches)
    30 permit icmp any any administratively-prohibited (3 matches)
    40 permit icmp any any echo (202641 matches)
    50 permit icmp any any echo-reply
    60 permit icmp any any packet-too-big
    70 permit icmp any any time-exceeded (90 matches)
    80 permit icmp any any traceroute
    90 permit icmp any any unreachable (408 matches)
    100 permit udp any eq bootps any eq bootpc (3269523 matches)
    110 permit udp any eq bootps any eq bootps
    120 permit udp any eq domain any (36 matches)
    130 permit esp any any (6213361 matches)
    140 permit udp any any eq isakmp (1261175 matches)
    150 permit udp any any eq 10000
    160 permit tcp any any eq 1723
    170 permit tcp any any eq 139 (22404 matches)
    180 permit udp any any eq netbios-ns (8529 matches)
    190 permit udp any any eq netbios-dgm
    200 permit gre any any
    210 deny ip any any log (134270 matches)
    220 permit tcp any 172.17.0.0 0.0.255.255 established
    240 permit tcp any any eq 443
    250 permit tcp any any eq 4125
    260 permit tcp any any

here's the access-list 101
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22627325
Okay do this:

ip access-list extended 101
no deny ip any any log
permit tcp any any eq 443
permit tcp any any eq 80
permit tcp any any eq 4125
deny ip any any log

If that still doesn't fix it:

Do this:

ip access-list extended 101
no 210
permit tcp any any eq 443
permit tcp any any eq 80
permit tcp any any eq 4125
deny ip any any log
0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 22628016
ok its working now!!!

so what does the "no deny ip any any log" and "deny ip any any log" do?

0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 22628089
hey jfrederick29,

maybe you can answer my other question?
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23782422.html

tnx
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22633706
It is all about ordering in the access-list so if you don't first remove the deny, the permits will be inserted under the deny and never matched.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now