Solved

Cisco 850 Series Router and Port 443.

Posted on 2011-03-23
3
1,084 Views
Last Modified: 2012-08-14
Hi all,

I've got a router at one of our locations and for the life of me can't figure out why I can't forward port 443 to a machine on the network. I've got another 850 series Cisco router running a similar config at one of our other locations and I was able to get 443 to pass no problem (comparing the two, they look almost the same).

For the office I'm having issues with, I can access the https resource on the LAN side, but accessing from outside nothing comes up. I've also tried debugging packet information for port 443 and accessing again...terminal monitor shows no output. So, I figured perhaps because the default secure-port port is 443, I'd change that...which didn't help either.

I'm attaching the scrubbed config. As you can see, I have the acl statement in there as well as the nat rule. I must be missing/forgetting something somewhere, though.

Any help would be appreciated!

Thanks!

Cisco850#show running-config
Building configuration...

Current configuration : 4309 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime year
service timestamps log datetime msec localtime year
service password-encryption
!
hostname Cisco850
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
!
!
dot11 syslog
!
!
ip cef
ip inspect name outbound_traffic tcp
ip inspect name outbound_traffic udp
ip inspect name outbound_traffic icmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 10.5.5.5
!
!
!
username sysadmin secret 5
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel1
 description GRE VPN tunnel to Remote1
 ip address 172.10.12.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 keepalive 10 3
 tunnel source zzz.yyy.xxx.sss
 tunnel destination fff.xxx.yyy.www
!
interface Tunnel2
 description GRE VPN tunnel to Remote2
 ip address 172.10.14.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 keepalive 10 3
 tunnel source yyy.zzz.sss.xxx
 tunnel destination xxx.ddd.sss.ggg
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address xxx.zzz.yyy.sss 255.255.255.248
 ip access-group nat_in in
 no ip proxy-arp
 ip inspect outbound_traffic out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 ip address 10.5.5.1 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.yyy.zzz.aaa
!
no ip http server
no ip http secure-server

ip nat inside source list NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.5.5.254 8080 interface FastEthernet4 8080
ip nat inside source static tcp 10.5.5.2 25 interface FastEthernet4 25
ip nat inside source static tcp 10.5.5.100 3389 interface FastEthernet4 3389
ip nat inside source static tcp 10.5.5.2 143 interface FastEthernet4 143
ip nat inside source static tcp 10.5.5.100 80 interface FastEthernet4 80
ip nat inside source static tcp 10.5.5.2 443 interface FastEthernet4 443

ip access-list extended nat
 permit ip 10.5.5.0 0.0.0.255 any
ip access-list extended nat_in
 permit tcp any any eq 1723
 permit gre any any
 deny   ip 10.0.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 7.255.255.255 any
 deny   ip host 0.0.0.0 any
 permit tcp any any eq 143
 permit tcp any any eq 80
 permit tcp any any eq smtp
 permit tcp any any eq www
 permit tcp any any eq 3389
 deny   ip any any
 permit tcp any any eq 443
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
 login local
line vty 0 4
 exec-timeout 60 0
 login local
!
scheduler max-task-time 5000
end

Cisco850#

Open in new window

0
Comment
Question by:SymAdmin
3 Comments
 
LVL 2

Expert Comment

by:mwblsz
ID: 35202401
you have an access-list set up on faEth4

interface FastEthernet4
 ip address xxx.zzz.yyy.sss 255.255.255.248
 ip access-group nat_in in

and in access-list nat_in, you have
ip access-list extended nat_in
.....
 permit tcp any any eq 3389
 deny   ip any any
 permit tcp any any eq 443

as you can see, you have deny ip any any before you allow port 443, that is why it is not working, change it to
 permit tcp any any eq 443
 deny   ip any any

and it should be fixed

sincerely
0
 
LVL 7

Accepted Solution

by:
TheTull earned 500 total points
ID: 35202407
You have a deny ip any any entry in your ACL that is blocking all traffic before it gets a chance to hit the 443 port entry you added.  Move the 443 entry before the deny ip any any
0
 

Author Comment

by:SymAdmin
ID: 35202431
Wow, can't believe I missed that... =o

It worked, thanks!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now