8443 Website works Internally but not Externally

stephenmiller
stephenmiller used Ask the Experts™
on
Hello,

I have a website running on 8443 and have trouble accessing externally.  For our purposes we will call it https://1.2.3.50:8443

The internal URL is https://172.16.0.140:8443

Internal access to 8443 works.
External access to 80 (http://1.2.3.50) works.
External access to 3389 (remote desktop 1.2.3.50) works.

Externally the connection is quickly reset.  When attempting to access a port not allowed on ACL (attempting to hit https://1.2.3.50) , it is properly logged as follows:

May 13 11:55:14: %SEC-6-IPACCESSLOGP: list INTERNET denied tcp MY_PUBLIC_IP(51232) -> 1.2.3.50(443), 1 packet

This will be repeated for a matter of minutes until my browser stops trying the connection.  When attempting 8443, it is immediately a "cannot display webpage" with no persisting load bar.

Here is my full router configuration:

version 12.3
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
logging buffered 50000 debugging
!
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface Multilink2
 description PRIMARY INTERNET INTERFACE
 ip address ISP 1 255.255.255.252
 ip access-group INTERNET in
 no ip redirects
 no ip unreachables
 ip nat outside
 no cdp enable
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 2
!
interface FastEthernet0/0
 description DSL INTERFACE
 ip address ISP 2 255.255.255.192
 ip access-group DSL in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0
 description To ISP
 bandwidth 1544
 no ip address
 no ip redirects
 no ip unreachables
 encapsulation ppp
 no fair-queue
 serial restart-delay 0
 ppp multilink
 ppp multilink group 2
!
interface FastEthernet0/1
 description LAN INTERFACE
 ip address 172.16.0.1 255.255.240.0
 ip access-group OUTBOUND in
 no ip redirects
 no ip unreachables
 ip nat inside
 ip flow ingress
 ip route-cache policy
 ip tcp adjust-mss 1352
 ip policy route-map PBR
 duplex auto
 speed auto
!
interface Serial0/1
 description To ISP
 bandwidth 1544
 no ip address
 no ip redirects
 no ip unreachables
 encapsulation ppp
 no fair-queue
 serial restart-delay 0
 ppp multilink
 ppp multilink group 2
!
ip local policy route-map LOCAL-PBR
ip nat inside source route-map DSL interface FastEthernet0/0 overload
ip nat inside source route-map M2 interface Multilink2 overload
ip nat inside source static 172.16.3.28 1.2.3.49 route-map NAT-328 extendable
ip nat inside source static 172.16.0.20 1.2.3.48 route-map NAT-20 extendable
ip nat inside source static 172.16.0.70 1.2.3.46 route-map NAT-70 extendable
ip nat inside source static 172.16.4.56 1.2.3.45 route-map NAT-456 extendable
ip nat inside source static 172.16.7.10 1.2.3.35 route-map NAT-710 extendable
ip nat inside source static 172.16.0.90 1.2.3.44 route-map NAT-90 extendable
ip nat inside source static 172.16.0.200 1.2.3.43 route-map NAT-200 extendable
ip nat inside source static 172.16.0.50 1.2.3.42 route-map NAT-50 extendable
ip nat inside source static 172.16.0.21 1.2.3.41 route-map NAT-21 extendable
ip nat inside source static 172.16.0.4 1.2.3.36 route-map NAT-4 extendable
ip nat inside source static 172.16.0.10 1.2.3.37 route-map NAT-10 extendable
ip nat inside source static 172.16.0.110 1.2.3.38 route-map NAT-110 extendable
ip nat inside source static 172.16.0.30 1.2.3.40 route-map NAT-30 extendable
ip nat inside source static 172.16.0.47 1.2.3.39 route-map NAT-47 extendable
ip nat inside source static 172.16.0.140 1.2.3.50 route-map NAT-140 extendable
ip nat inside source static 172.16.0.61 1.2.3.51 route-map NAT-61 extendable
ip nat inside source static 172.16.0.62 1.2.3.52 route-map NAT-62 extendable
ip nat inside source static 172.16.0.5 1.2.3.53 route-map NAT-53 extendable
ip nat inside source static 172.16.3.109 1.2.3.54 route-map NAT-109 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 ISP GW1
ip route 0.0.0.0 0.0.0.0 ISP GW2
ip route 172.30.1.0 255.255.255.0 172.16.0.3
ip flow-export version 5
ip flow-export destination 172.16.0.37 2055
no ip http server
!
ip access-list extended DSL
 permit icmp any any echo-reply
 permit icmp any any echo
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit udp any eq domain any
 permit udp any eq ntp any
 permit tcp any eq domain any
 permit tcp any any established
 permit tcp any any range 22 telnet
 permit udp any any eq domain
 permit tcp any any eq domain
 permit udp any any eq 8443
ip access-list extended INTERNET
 permit icmp any any echo-reply
 permit icmp any any echo
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit tcp any host 1.2.3.36 eq 5900
 permit tcp any host 1.2.3.36 eq 3389
 permit tcp any host 1.2.3.37 eq 3389
 permit tcp any host 1.2.3.38 eq 3389
 permit tcp any host 1.2.3.39 eq 3389
 permit tcp any host 1.2.3.40 eq www
 permit tcp any host 1.2.3.40 eq ftp
 permit tcp any host 1.2.3.40 eq 5900
 permit tcp any host 1.2.3.41 eq 5900
 permit tcp any host 1.2.3.41 eq 3389
 permit tcp any host 1.2.3.41 eq www
 permit tcp any host 1.2.3.41 eq 443
 permit tcp any host 1.2.3.41 eq 81
 permit tcp any host 1.2.3.42 eq www
 permit tcp any host 1.2.3.42 eq 443
 permit tcp any host 1.2.3.42 eq 22
 permit tcp any host 1.2.3.42 eq 81
 permit tcp any host 1.2.3.43 eq 22
 permit tcp any host 1.2.3.43 eq smtp
 permit tcp any host 1.2.3.44 eq 3389
 permit tcp any host 1.2.3.44 eq 5900
 permit tcp any host 1.2.3.44 eq www
 permit tcp any host 1.2.3.44 eq 9090
 permit tcp any host 1.2.3.44 eq 8443
 permit tcp any host 1.2.3.35 eq 3389
 permit tcp any host 1.2.3.35 eq 2540
 permit tcp any host 1.2.3.35 range 1628 1629
 permit tcp any host 1.2.3.35 eq 443
 permit tcp any host 1.2.3.35 eq www
 permit tcp any host 1.2.3.35 eq 45612
 permit tcp any host 1.2.3.35 eq 5900
 permit tcp any host 1.2.3.35 range 5631 5632
 permit udp any host 1.2.3.35 range 5631 5632
 permit tcp any host 1.2.3.45 eq 3389
 permit tcp any host 1.2.3.45 eq 5900
 permit tcp any host 1.2.3.45 eq 5901
 permit tcp any host 1.2.3.45 eq 5800
 permit tcp any host 1.2.3.45 eq 5801
 permit tcp any host 1.2.3.46 eq 5900
 permit tcp any host 1.2.3.46 eq 5901
 permit tcp any host 1.2.3.47 eq 3389
 permit tcp any host 1.2.3.48 eq 3389
 permit tcp any host 1.2.3.49 eq 3389
 permit tcp any host 1.2.3.50 eq www
 permit tcp any host 1.2.3.50 eq 8443
 permit udp any host 1.2.3.50 eq 8443
 permit tcp any host 1.2.3.50 eq 3389
 permit tcp any host 1.2.3.51 eq 3389
 permit tcp any host 1.2.3.54 eq 3389
 permit tcp any host 1.2.3.52 eq 3389
 permit tcp any host 1.2.3.53 eq 22
 permit udp any eq domain any
 permit udp any eq ntp any
 permit tcp any eq domain any
 permit tcp any any established
 permit tcp any any range 22 telnet
 permit udp any any eq domain
 permit tcp any any eq domain
 deny   ip any any log
ip access-list extended NAT
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip host 172.16.0.21 any
 deny   ip host 172.16.0.4 any
 deny   ip host 172.16.0.5 any
 deny   ip host 172.16.0.10 any
 deny   ip host 172.16.0.110 any
 deny   ip host 172.16.0.47 any
 deny   ip host 172.16.0.30 any
 deny   ip host 172.16.0.50 any
 deny   ip host 172.16.0.200 any
 deny   ip host 172.16.0.90 any
 deny   ip host 172.16.7.10 any
 deny   ip host 172.16.4.56 any
 deny   ip host 172.16.0.70 any
 deny   ip host 172.16.0.20 any
 deny   ip host 172.16.3.28 any
 deny   ip host 172.16.0.140 any
 permit ip 172.16.0.0 0.0.15.255 any
ip access-list extended NAT-10
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.10 any
ip access-list extended NAT-109
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.3.109 any
ip access-list extended NAT-110
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.110 any
ip access-list extended NAT-140
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.140 any
ip access-list extended NAT-20
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.20 any
ip access-list extended NAT-200
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.200 any
ip access-list extended NAT-21
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.21 any
ip access-list extended NAT-30
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.30 any
ip access-list extended NAT-328
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.3.28 any
ip access-list extended NAT-4
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.4 any
ip access-list extended NAT-456
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.4.56 any
ip access-list extended NAT-47
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.47 any
ip access-list extended NAT-50
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.50 any
ip access-list extended NAT-53
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.5 any
ip access-list extended NAT-61
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.61 any
ip access-list extended NAT-62
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.62 any
ip access-list extended NAT-70
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.70 any
ip access-list extended NAT-710
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.7.10 any
ip access-list extended NAT-90
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip host 172.16.0.90 any
ip access-list extended OUTBOUND
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   icmp any any
 permit tcp host 172.16.0.50 any eq smtp
 permit tcp host 172.16.0.200 any eq smtp
 deny   tcp any any eq smtp log
 permit ip any any
ip access-list extended PBR
 remark DEFINES WHICH TRAFFIC TO ROUTE THROUGH DSL FOR INTERNET
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip host 172.16.0.21 any
 deny   ip host 172.16.0.4 any
 deny   ip host 172.16.0.10 any
 deny   ip host 172.16.0.110 any
 deny   ip host 172.16.0.47 any
 deny   ip host 172.16.0.30 any
 deny   ip host 172.16.0.50 any
 deny   ip host 172.16.0.200 any
 deny   ip host 172.16.0.90 any
 deny   ip host 172.16.7.10 any
 deny   ip host 172.16.4.56 any
 deny   ip host 172.16.0.70 any
 deny   ip host 172.16.0.20 any
 deny   ip host 172.16.3.28 any
 deny   ip host 172.16.0.140 any
 permit ip 172.16.1.0 0.0.0.255 any
 permit ip 172.16.2.0 0.0.1.255 any
 permit ip 172.16.4.0 0.0.3.255 any
!
ip access-list log-update threshold 2147483647
logging LOG-IP
access-list 100 permit ip host ISP 1 any
access-list 101 permit ip host ISP 2 any
arp OLD IP 1 000d.2993.e3fd ARPA
arp OLD IP 2 000d.2993.e3fd ARPA
route-map LOCAL-PBR permit 1
 match ip address 100
 set ip next-hop ISP GW1
!
route-map LOCAL-PBR permit 2
 match ip address 101
 set ip next-hop ISP GW2
!
route-map NAT-710 permit 1
 match ip address NAT-710
!
route-map PBR permit 1
 match ip address PBR
 set interface FastEthernet0/0
!
route-map PBR permit 2
!
route-map NAT-456 permit 1
 match ip address NAT-456
!
route-map NAT-4 permit 1
 match ip address NAT-4
!
route-map NAT-140 permit 1
 match ip address NAT-140
!
route-map NAT-200 permit 1
 match ip address NAT-200
!
route-map NAT-110 permit 1
 match ip address NAT-110
!
route-map NAT-109 permit 1
 match ip address NAT-109
!
route-map NAT-328 permit 1
 match ip address NAT-328
!
route-map DSL permit 1
 match ip address NAT
 match interface FastEthernet0/0
!
route-map NAT-53 permit 1
 match ip address NAT-53
!
route-map NAT-70 permit 1
 match ip address NAT-70
!
route-map NAT-61 permit 1
 match ip address NAT-61
!
route-map NAT-62 permit 1
 match ip address NAT-62
!
route-map NAT-50 permit 1
 match ip address NAT-50
!
route-map NAT-20 permit 1
 match ip address NAT-20
!
route-map NAT-21 permit 1
 match ip address NAT-21
!
route-map NAT-47 permit 1
 match ip address NAT-47
!
route-map NAT-30 permit 1
 match ip address NAT-30
!
route-map NAT-10 permit 1
 match ip address NAT-10
!
route-map NAT-90 permit 1
 match ip address NAT-90
!
route-map M2 permit 1
 match ip address NAT
 match interface Multilink2
!
^C
!
line con 0
line aux 0
 login
 modem InOut
 modem autoconfigure type usr
 transport input all
 speed 115200
 flowcontrol hardware
line vty 0 4
 login
!
ntp clock-period 17180704
ntp server 132.163.4.101
end

router1#


Thanks for taking the time to look at my problem.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You need to permit port 443 to the 1.2.3.50 IP address
Kerem ERSOYPresident

Commented:
Hi,

I guess the problem is here:

 permit udp any any eq 8443

You've included the access for port 8443 but you've specified UDP instead of TCP. As you know UDP is a connectionless protocol and not suitable for SSL communication between a client and server...

Cheers,
K.
President
Commented:
ip access-list extended DSL
.
.

 permit udp any any eq 8443

I mean here in access-list for DSL.

Author

Commented:
I was close!  Changing that line on the DSL acl to permit tcp any any eq 8443 was the fix.  Thank you!!
Kerem ERSOYPresident

Commented:
You really were! May the telephone rang or there was another distraction.. I was just the second pair of  eyes. You're welcome.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial