We help IT Professionals succeed at work.

Configure Cisco for RWW and OWA

Last Modified: 2008-10-03
Need help in setting up Cisco for Remote Web workplace and Outlook Web Access.
I have setup port forwarding by using this command (correct me if im wrong):

ip nat inside source static tcp <internal server IP> 443 interface Ethernet1 443
ip nat inside source static tcp <internal server IP> 80 interface Ethernet1 80
ip nat inside source static tcp <internal server iP> 4125 interface Ethernet1 4125

we have setup the FQDN.
and when i try to access RWW or OWA externally, it doesnt open.
on the cisco logs. i see the public ip of the external computer that i use to check if its working from the outside. but its not getting thru.

the log is: list 101 denied tcp <public ip of external computer> (58694) -> <public IP of server>(443), 1 packet

i read something that i need to allow traffic using ACL??

i dont know much about cisco, so it would be nice if i can have full instructions on how to set this up.

thanks in advance!
Watch Question

Top Expert 2009

Try adding this:

conf t
ip access-list extended 101
no deny ip any any
permit tcp any interface ethernet1 eq 443
permit tcp any interface ethernet1 eq 80
permit tcp any interface ethernet1 eq 4125
deny ip any any

If that doesn't work, post the contents of access-list 101...

if i am correct in the configuration there is an access-list 101.
use the cli and do a show running ( then you will see.
copy the whole of access-list 101
and ad the following : ( not at the botom or after deny any any)

access-list 101 permit foo-bar
access-list 101 permit tcp any any eq 443  
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 4125
access-list 101 deny any any

don't forget to replace the whole access-list ( so use no access-list 101 and than past the new access-list )

go to www.grc.com and check with Shields up ! if the ports are open

Good luck

Top Expert 2009

Sorry, too much PIX/ASA work lately.  The interface keyword isn't valid so either use "any" for the destination like in damalano's example or specify the "ethernet1" interface IP address (just be aware if it changes, it will break).


hey jfrederick29,

ok, i tried doing that but when i enter the "permit tcp any interface ethernet1 eq 443" i get a "invalid input detected at ^ marker on the "interface"

what command do i enter to show the contents of access-list 101 ??



oooopsss... didnt see that you replied with that error already..
ok will try that.


still can't access RWW or OWA externally

does the "list 101 denied to <external public IP> -> <server public ip> means that its getting to the router but not getting pass thru it?

Top Expert 2009

Yeah, the access-list is denying it.

Post a "show access-list 101"

can you past access-list 101 completely ?

i'm afraid you have an earlier deny.

are we keeping this up JFrederick29 ? LOL


Extended IP access list 101

10 permit tcp any any eq 3389 (30217 matches)
    20 permit tcp any any eq telnet (507 matches)
    30 permit icmp any any administratively-prohibited (3 matches)
    40 permit icmp any any echo (202641 matches)
    50 permit icmp any any echo-reply
    60 permit icmp any any packet-too-big
    70 permit icmp any any time-exceeded (90 matches)
    80 permit icmp any any traceroute
    90 permit icmp any any unreachable (408 matches)
    100 permit udp any eq bootps any eq bootpc (3269523 matches)
    110 permit udp any eq bootps any eq bootps
    120 permit udp any eq domain any (36 matches)
    130 permit esp any any (6213361 matches)
    140 permit udp any any eq isakmp (1261175 matches)
    150 permit udp any any eq 10000
    160 permit tcp any any eq 1723
    170 permit tcp any any eq 139 (22404 matches)
    180 permit udp any any eq netbios-ns (8529 matches)
    190 permit udp any any eq netbios-dgm
    200 permit gre any any
    210 deny ip any any log (134270 matches)
    220 permit tcp any established
    240 permit tcp any any eq 443
    250 permit tcp any any eq 4125
    260 permit tcp any any

here's the access-list 101
Top Expert 2009
This one is on us!
(Get your first solution completely free - no credit card required)


ok its working now!!!

so what does the "no deny ip any any log" and "deny ip any any log" do?


hey jfrederick29,

maybe you can answer my other question?

Top Expert 2009

It is all about ordering in the access-list so if you don't first remove the deny, the permits will be inserted under the deny and never matched.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.