asked on 8443 Website works Internally but not Externally
Hello,
I have a website running on 8443 and have trouble accessing externally. For our purposes we will call it https://1.2.3.50:8443
The internal URL is https://172.16.0.140:8443
Internal access to 8443 works.
External access to 80 (http://1.2.3.50) works.
External access to 3389 (remote desktop 1.2.3.50) works.
Externally the connection is quickly reset. When attempting to access a port not allowed on ACL (attempting to hit https://1.2.3.50) , it is properly logged as follows:
May 13 11:55:14: %SEC-6-IPACCESSLOGP: list INTERNET denied tcp MY_PUBLIC_IP(51232) -> 1.2.3.50(443), 1 packet
This will be repeated for a matter of minutes until my browser stops trying the connection. When attempting 8443, it is immediately a "cannot display webpage" with no persisting load bar.
Here is my full router configuration:
version 12.3
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
logging buffered 50000 debugging
!
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface Multilink2
description PRIMARY INTERNET INTERFACE
ip address ISP 1 255.255.255.252
ip access-group INTERNET in
no ip redirects
no ip unreachables
ip nat outside
no cdp enable
ppp multilink
ppp multilink fragment disable
ppp multilink group 2
!
interface FastEthernet0/0
description DSL INTERFACE
ip address ISP 2 255.255.255.192
ip access-group DSL in
no ip redirects
no ip unreachables
ip nat outside
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/0
description To ISP
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
serial restart-delay 0
ppp multilink
ppp multilink group 2
!
interface FastEthernet0/1
description LAN INTERFACE
ip address 172.16.0.1 255.255.240.0
ip access-group OUTBOUND in
no ip redirects
no ip unreachables
ip nat inside
ip flow ingress
ip route-cache policy
ip tcp adjust-mss 1352
ip policy route-map PBR
duplex auto
speed auto
!
interface Serial0/1
description To ISP
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
serial restart-delay 0
ppp multilink
ppp multilink group 2
!
ip local policy route-map LOCAL-PBR
ip nat inside source route-map DSL interface FastEthernet0/0 overload
ip nat inside source route-map M2 interface Multilink2 overload
ip nat inside source static 172.16.3.28 1.2.3.49 route-map NAT-328 extendable
ip nat inside source static 172.16.0.20 1.2.3.48 route-map NAT-20 extendable
ip nat inside source static 172.16.0.70 1.2.3.46 route-map NAT-70 extendable
ip nat inside source static 172.16.4.56 1.2.3.45 route-map NAT-456 extendable
ip nat inside source static 172.16.7.10 1.2.3.35 route-map NAT-710 extendable
ip nat inside source static 172.16.0.90 1.2.3.44 route-map NAT-90 extendable
ip nat inside source static 172.16.0.200 1.2.3.43 route-map NAT-200 extendable
ip nat inside source static 172.16.0.50 1.2.3.42 route-map NAT-50 extendable
ip nat inside source static 172.16.0.21 1.2.3.41 route-map NAT-21 extendable
ip nat inside source static 172.16.0.4 1.2.3.36 route-map NAT-4 extendable
ip nat inside source static 172.16.0.10 1.2.3.37 route-map NAT-10 extendable
ip nat inside source static 172.16.0.110 1.2.3.38 route-map NAT-110 extendable
ip nat inside source static 172.16.0.30 1.2.3.40 route-map NAT-30 extendable
ip nat inside source static 172.16.0.47 1.2.3.39 route-map NAT-47 extendable
ip nat inside source static 172.16.0.140 1.2.3.50 route-map NAT-140 extendable
ip nat inside source static 172.16.0.61 1.2.3.51 route-map NAT-61 extendable
ip nat inside source static 172.16.0.62 1.2.3.52 route-map NAT-62 extendable
ip nat inside source static 172.16.0.5 1.2.3.53 route-map NAT-53 extendable
ip nat inside source static 172.16.3.109 1.2.3.54 route-map NAT-109 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 ISP GW1
ip route 0.0.0.0 0.0.0.0 ISP GW2
ip route 172.30.1.0 255.255.255.0 172.16.0.3
ip flow-export version 5
ip flow-export destination 172.16.0.37 2055
no ip http server
!
ip access-list extended DSL
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any unreachable
permit icmp any any time-exceeded
permit udp any eq domain any
permit udp any eq ntp any
permit tcp any eq domain any
permit tcp any any established
permit tcp any any range 22 telnet
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq 8443
ip access-list extended INTERNET
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp any host 1.2.3.36 eq 5900
permit tcp any host 1.2.3.36 eq 3389
permit tcp any host 1.2.3.37 eq 3389
permit tcp any host 1.2.3.38 eq 3389
permit tcp any host 1.2.3.39 eq 3389
permit tcp any host 1.2.3.40 eq www
permit tcp any host 1.2.3.40 eq ftp
permit tcp any host 1.2.3.40 eq 5900
permit tcp any host 1.2.3.41 eq 5900
permit tcp any host 1.2.3.41 eq 3389
permit tcp any host 1.2.3.41 eq www
permit tcp any host 1.2.3.41 eq 443
permit tcp any host 1.2.3.41 eq 81
permit tcp any host 1.2.3.42 eq www
permit tcp any host 1.2.3.42 eq 443
permit tcp any host 1.2.3.42 eq 22
permit tcp any host 1.2.3.42 eq 81
permit tcp any host 1.2.3.43 eq 22
permit tcp any host 1.2.3.43 eq smtp
permit tcp any host 1.2.3.44 eq 3389
permit tcp any host 1.2.3.44 eq 5900
permit tcp any host 1.2.3.44 eq www
permit tcp any host 1.2.3.44 eq 9090
permit tcp any host 1.2.3.44 eq 8443
permit tcp any host 1.2.3.35 eq 3389
permit tcp any host 1.2.3.35 eq 2540
permit tcp any host 1.2.3.35 range 1628 1629
permit tcp any host 1.2.3.35 eq 443
permit tcp any host 1.2.3.35 eq www
permit tcp any host 1.2.3.35 eq 45612
permit tcp any host 1.2.3.35 eq 5900
permit tcp any host 1.2.3.35 range 5631 5632
permit udp any host 1.2.3.35 range 5631 5632
permit tcp any host 1.2.3.45 eq 3389
permit tcp any host 1.2.3.45 eq 5900
permit tcp any host 1.2.3.45 eq 5901
permit tcp any host 1.2.3.45 eq 5800
permit tcp any host 1.2.3.45 eq 5801
permit tcp any host 1.2.3.46 eq 5900
permit tcp any host 1.2.3.46 eq 5901
permit tcp any host 1.2.3.47 eq 3389
permit tcp any host 1.2.3.48 eq 3389
permit tcp any host 1.2.3.49 eq 3389
permit tcp any host 1.2.3.50 eq www
permit tcp any host 1.2.3.50 eq 8443
permit udp any host 1.2.3.50 eq 8443
permit tcp any host 1.2.3.50 eq 3389
permit tcp any host 1.2.3.51 eq 3389
permit tcp any host 1.2.3.54 eq 3389
permit tcp any host 1.2.3.52 eq 3389
permit tcp any host 1.2.3.53 eq 22
permit udp any eq domain any
permit udp any eq ntp any
permit tcp any eq domain any
permit tcp any any established
permit tcp any any range 22 telnet
permit udp any any eq domain
permit tcp any any eq domain
deny ip any any log
ip access-list extended NAT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip host 172.16.0.21 any
deny ip host 172.16.0.4 any
deny ip host 172.16.0.5 any
deny ip host 172.16.0.10 any
deny ip host 172.16.0.110 any
deny ip host 172.16.0.47 any
deny ip host 172.16.0.30 any
deny ip host 172.16.0.50 any
deny ip host 172.16.0.200 any
deny ip host 172.16.0.90 any
deny ip host 172.16.7.10 any
deny ip host 172.16.4.56 any
deny ip host 172.16.0.70 any
deny ip host 172.16.0.20 any
deny ip host 172.16.3.28 any
deny ip host 172.16.0.140 any
permit ip 172.16.0.0 0.0.15.255 any
ip access-list extended NAT-10
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.10 any
ip access-list extended NAT-109
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.3.109 any
ip access-list extended NAT-110
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.110 any
ip access-list extended NAT-140
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.140 any
ip access-list extended NAT-20
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.20 any
ip access-list extended NAT-200
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.200 any
ip access-list extended NAT-21
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.21 any
ip access-list extended NAT-30
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.30 any
ip access-list extended NAT-328
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.3.28 any
ip access-list extended NAT-4
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.4 any
ip access-list extended NAT-456
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.4.56 any
ip access-list extended NAT-47
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.47 any
ip access-list extended NAT-50
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.50 any
ip access-list extended NAT-53
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.5 any
ip access-list extended NAT-61
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.61 any
ip access-list extended NAT-62
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.62 any
ip access-list extended NAT-70
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.70 any
ip access-list extended NAT-710
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.7.10 any
ip access-list extended NAT-90
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.90 any
ip access-list extended OUTBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any
permit tcp host 172.16.0.50 any eq smtp
permit tcp host 172.16.0.200 any eq smtp
deny tcp any any eq smtp log
permit ip any any
ip access-list extended PBR
remark DEFINES WHICH TRAFFIC TO ROUTE THROUGH DSL FOR INTERNET
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip host 172.16.0.21 any
deny ip host 172.16.0.4 any
deny ip host 172.16.0.10 any
deny ip host 172.16.0.110 any
deny ip host 172.16.0.47 any
deny ip host 172.16.0.30 any
deny ip host 172.16.0.50 any
deny ip host 172.16.0.200 any
deny ip host 172.16.0.90 any
deny ip host 172.16.7.10 any
deny ip host 172.16.4.56 any
deny ip host 172.16.0.70 any
deny ip host 172.16.0.20 any
deny ip host 172.16.3.28 any
deny ip host 172.16.0.140 any
permit ip 172.16.1.0 0.0.0.255 any
permit ip 172.16.2.0 0.0.1.255 any
permit ip 172.16.4.0 0.0.3.255 any
!
ip access-list log-update threshold 2147483647
logging LOG-IP
access-list 100 permit ip host ISP 1 any
access-list 101 permit ip host ISP 2 any
arp OLD IP 1 000d.2993.e3fd ARPA
arp OLD IP 2 000d.2993.e3fd ARPA
route-map LOCAL-PBR permit 1
match ip address 100
set ip next-hop ISP GW1
!
route-map LOCAL-PBR permit 2
match ip address 101
set ip next-hop ISP GW2
!
route-map NAT-710 permit 1
match ip address NAT-710
!
route-map PBR permit 1
match ip address PBR
set interface FastEthernet0/0
!
route-map PBR permit 2
!
route-map NAT-456 permit 1
match ip address NAT-456
!
route-map NAT-4 permit 1
match ip address NAT-4
!
route-map NAT-140 permit 1
match ip address NAT-140
!
route-map NAT-200 permit 1
match ip address NAT-200
!
route-map NAT-110 permit 1
match ip address NAT-110
!
route-map NAT-109 permit 1
match ip address NAT-109
!
route-map NAT-328 permit 1
match ip address NAT-328
!
route-map DSL permit 1
match ip address NAT
match interface FastEthernet0/0
!
route-map NAT-53 permit 1
match ip address NAT-53
!
route-map NAT-70 permit 1
match ip address NAT-70
!
route-map NAT-61 permit 1
match ip address NAT-61
!
route-map NAT-62 permit 1
match ip address NAT-62
!
route-map NAT-50 permit 1
match ip address NAT-50
!
route-map NAT-20 permit 1
match ip address NAT-20
!
route-map NAT-21 permit 1
match ip address NAT-21
!
route-map NAT-47 permit 1
match ip address NAT-47
!
route-map NAT-30 permit 1
match ip address NAT-30
!
route-map NAT-10 permit 1
match ip address NAT-10
!
route-map NAT-90 permit 1
match ip address NAT-90
!
route-map M2 permit 1
match ip address NAT
match interface Multilink2
!
^C
!
line con 0
line aux 0
login
modem InOut
modem autoconfigure type usr
transport input all
speed 115200
flowcontrol hardware
line vty 0 4
login
!
ntp clock-period 17180704
ntp server 132.163.4.101
end
router1#
Thanks for taking the time to look at my problem.
I have a website running on 8443 and have trouble accessing externally. For our purposes we will call it https://1.2.3.50:8443
The internal URL is https://172.16.0.140:8443
Internal access to 8443 works.
External access to 80 (http://1.2.3.50) works.
External access to 3389 (remote desktop 1.2.3.50) works.
Externally the connection is quickly reset. When attempting to access a port not allowed on ACL (attempting to hit https://1.2.3.50) , it is properly logged as follows:
May 13 11:55:14: %SEC-6-IPACCESSLOGP: list INTERNET denied tcp MY_PUBLIC_IP(51232) -> 1.2.3.50(443), 1 packet
This will be repeated for a matter of minutes until my browser stops trying the connection. When attempting 8443, it is immediately a "cannot display webpage" with no persisting load bar.
Here is my full router configuration:
version 12.3
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
logging buffered 50000 debugging
!
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ftp-server write-enable
!
!
!
!
interface Multilink2
description PRIMARY INTERNET INTERFACE
ip address ISP 1 255.255.255.252
ip access-group INTERNET in
no ip redirects
no ip unreachables
ip nat outside
no cdp enable
ppp multilink
ppp multilink fragment disable
ppp multilink group 2
!
interface FastEthernet0/0
description DSL INTERFACE
ip address ISP 2 255.255.255.192
ip access-group DSL in
no ip redirects
no ip unreachables
ip nat outside
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/0
description To ISP
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
serial restart-delay 0
ppp multilink
ppp multilink group 2
!
interface FastEthernet0/1
description LAN INTERFACE
ip address 172.16.0.1 255.255.240.0
ip access-group OUTBOUND in
no ip redirects
no ip unreachables
ip nat inside
ip flow ingress
ip route-cache policy
ip tcp adjust-mss 1352
ip policy route-map PBR
duplex auto
speed auto
!
interface Serial0/1
description To ISP
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
serial restart-delay 0
ppp multilink
ppp multilink group 2
!
ip local policy route-map LOCAL-PBR
ip nat inside source route-map DSL interface FastEthernet0/0 overload
ip nat inside source route-map M2 interface Multilink2 overload
ip nat inside source static 172.16.3.28 1.2.3.49 route-map NAT-328 extendable
ip nat inside source static 172.16.0.20 1.2.3.48 route-map NAT-20 extendable
ip nat inside source static 172.16.0.70 1.2.3.46 route-map NAT-70 extendable
ip nat inside source static 172.16.4.56 1.2.3.45 route-map NAT-456 extendable
ip nat inside source static 172.16.7.10 1.2.3.35 route-map NAT-710 extendable
ip nat inside source static 172.16.0.90 1.2.3.44 route-map NAT-90 extendable
ip nat inside source static 172.16.0.200 1.2.3.43 route-map NAT-200 extendable
ip nat inside source static 172.16.0.50 1.2.3.42 route-map NAT-50 extendable
ip nat inside source static 172.16.0.21 1.2.3.41 route-map NAT-21 extendable
ip nat inside source static 172.16.0.4 1.2.3.36 route-map NAT-4 extendable
ip nat inside source static 172.16.0.10 1.2.3.37 route-map NAT-10 extendable
ip nat inside source static 172.16.0.110 1.2.3.38 route-map NAT-110 extendable
ip nat inside source static 172.16.0.30 1.2.3.40 route-map NAT-30 extendable
ip nat inside source static 172.16.0.47 1.2.3.39 route-map NAT-47 extendable
ip nat inside source static 172.16.0.140 1.2.3.50 route-map NAT-140 extendable
ip nat inside source static 172.16.0.61 1.2.3.51 route-map NAT-61 extendable
ip nat inside source static 172.16.0.62 1.2.3.52 route-map NAT-62 extendable
ip nat inside source static 172.16.0.5 1.2.3.53 route-map NAT-53 extendable
ip nat inside source static 172.16.3.109 1.2.3.54 route-map NAT-109 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 ISP GW1
ip route 0.0.0.0 0.0.0.0 ISP GW2
ip route 172.30.1.0 255.255.255.0 172.16.0.3
ip flow-export version 5
ip flow-export destination 172.16.0.37 2055
no ip http server
!
ip access-list extended DSL
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any unreachable
permit icmp any any time-exceeded
permit udp any eq domain any
permit udp any eq ntp any
permit tcp any eq domain any
permit tcp any any established
permit tcp any any range 22 telnet
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq 8443
ip access-list extended INTERNET
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp any host 1.2.3.36 eq 5900
permit tcp any host 1.2.3.36 eq 3389
permit tcp any host 1.2.3.37 eq 3389
permit tcp any host 1.2.3.38 eq 3389
permit tcp any host 1.2.3.39 eq 3389
permit tcp any host 1.2.3.40 eq www
permit tcp any host 1.2.3.40 eq ftp
permit tcp any host 1.2.3.40 eq 5900
permit tcp any host 1.2.3.41 eq 5900
permit tcp any host 1.2.3.41 eq 3389
permit tcp any host 1.2.3.41 eq www
permit tcp any host 1.2.3.41 eq 443
permit tcp any host 1.2.3.41 eq 81
permit tcp any host 1.2.3.42 eq www
permit tcp any host 1.2.3.42 eq 443
permit tcp any host 1.2.3.42 eq 22
permit tcp any host 1.2.3.42 eq 81
permit tcp any host 1.2.3.43 eq 22
permit tcp any host 1.2.3.43 eq smtp
permit tcp any host 1.2.3.44 eq 3389
permit tcp any host 1.2.3.44 eq 5900
permit tcp any host 1.2.3.44 eq www
permit tcp any host 1.2.3.44 eq 9090
permit tcp any host 1.2.3.44 eq 8443
permit tcp any host 1.2.3.35 eq 3389
permit tcp any host 1.2.3.35 eq 2540
permit tcp any host 1.2.3.35 range 1628 1629
permit tcp any host 1.2.3.35 eq 443
permit tcp any host 1.2.3.35 eq www
permit tcp any host 1.2.3.35 eq 45612
permit tcp any host 1.2.3.35 eq 5900
permit tcp any host 1.2.3.35 range 5631 5632
permit udp any host 1.2.3.35 range 5631 5632
permit tcp any host 1.2.3.45 eq 3389
permit tcp any host 1.2.3.45 eq 5900
permit tcp any host 1.2.3.45 eq 5901
permit tcp any host 1.2.3.45 eq 5800
permit tcp any host 1.2.3.45 eq 5801
permit tcp any host 1.2.3.46 eq 5900
permit tcp any host 1.2.3.46 eq 5901
permit tcp any host 1.2.3.47 eq 3389
permit tcp any host 1.2.3.48 eq 3389
permit tcp any host 1.2.3.49 eq 3389
permit tcp any host 1.2.3.50 eq www
permit tcp any host 1.2.3.50 eq 8443
permit udp any host 1.2.3.50 eq 8443
permit tcp any host 1.2.3.50 eq 3389
permit tcp any host 1.2.3.51 eq 3389
permit tcp any host 1.2.3.54 eq 3389
permit tcp any host 1.2.3.52 eq 3389
permit tcp any host 1.2.3.53 eq 22
permit udp any eq domain any
permit udp any eq ntp any
permit tcp any eq domain any
permit tcp any any established
permit tcp any any range 22 telnet
permit udp any any eq domain
permit tcp any any eq domain
deny ip any any log
ip access-list extended NAT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip host 172.16.0.21 any
deny ip host 172.16.0.4 any
deny ip host 172.16.0.5 any
deny ip host 172.16.0.10 any
deny ip host 172.16.0.110 any
deny ip host 172.16.0.47 any
deny ip host 172.16.0.30 any
deny ip host 172.16.0.50 any
deny ip host 172.16.0.200 any
deny ip host 172.16.0.90 any
deny ip host 172.16.7.10 any
deny ip host 172.16.4.56 any
deny ip host 172.16.0.70 any
deny ip host 172.16.0.20 any
deny ip host 172.16.3.28 any
deny ip host 172.16.0.140 any
permit ip 172.16.0.0 0.0.15.255 any
ip access-list extended NAT-10
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.10 any
ip access-list extended NAT-109
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.3.109 any
ip access-list extended NAT-110
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.110 any
ip access-list extended NAT-140
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.140 any
ip access-list extended NAT-20
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.20 any
ip access-list extended NAT-200
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.200 any
ip access-list extended NAT-21
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.21 any
ip access-list extended NAT-30
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.30 any
ip access-list extended NAT-328
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.3.28 any
ip access-list extended NAT-4
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.4 any
ip access-list extended NAT-456
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.4.56 any
ip access-list extended NAT-47
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.47 any
ip access-list extended NAT-50
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.50 any
ip access-list extended NAT-53
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.5 any
ip access-list extended NAT-61
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.61 any
ip access-list extended NAT-62
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.62 any
ip access-list extended NAT-70
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.70 any
ip access-list extended NAT-710
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.7.10 any
ip access-list extended NAT-90
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 172.16.0.90 any
ip access-list extended OUTBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any
permit tcp host 172.16.0.50 any eq smtp
permit tcp host 172.16.0.200 any eq smtp
deny tcp any any eq smtp log
permit ip any any
ip access-list extended PBR
remark DEFINES WHICH TRAFFIC TO ROUTE THROUGH DSL FOR INTERNET
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip host 172.16.0.21 any
deny ip host 172.16.0.4 any
deny ip host 172.16.0.10 any
deny ip host 172.16.0.110 any
deny ip host 172.16.0.47 any
deny ip host 172.16.0.30 any
deny ip host 172.16.0.50 any
deny ip host 172.16.0.200 any
deny ip host 172.16.0.90 any
deny ip host 172.16.7.10 any
deny ip host 172.16.4.56 any
deny ip host 172.16.0.70 any
deny ip host 172.16.0.20 any
deny ip host 172.16.3.28 any
deny ip host 172.16.0.140 any
permit ip 172.16.1.0 0.0.0.255 any
permit ip 172.16.2.0 0.0.1.255 any
permit ip 172.16.4.0 0.0.3.255 any
!
ip access-list log-update threshold 2147483647
logging LOG-IP
access-list 100 permit ip host ISP 1 any
access-list 101 permit ip host ISP 2 any
arp OLD IP 1 000d.2993.e3fd ARPA
arp OLD IP 2 000d.2993.e3fd ARPA
route-map LOCAL-PBR permit 1
match ip address 100
set ip next-hop ISP GW1
!
route-map LOCAL-PBR permit 2
match ip address 101
set ip next-hop ISP GW2
!
route-map NAT-710 permit 1
match ip address NAT-710
!
route-map PBR permit 1
match ip address PBR
set interface FastEthernet0/0
!
route-map PBR permit 2
!
route-map NAT-456 permit 1
match ip address NAT-456
!
route-map NAT-4 permit 1
match ip address NAT-4
!
route-map NAT-140 permit 1
match ip address NAT-140
!
route-map NAT-200 permit 1
match ip address NAT-200
!
route-map NAT-110 permit 1
match ip address NAT-110
!
route-map NAT-109 permit 1
match ip address NAT-109
!
route-map NAT-328 permit 1
match ip address NAT-328
!
route-map DSL permit 1
match ip address NAT
match interface FastEthernet0/0
!
route-map NAT-53 permit 1
match ip address NAT-53
!
route-map NAT-70 permit 1
match ip address NAT-70
!
route-map NAT-61 permit 1
match ip address NAT-61
!
route-map NAT-62 permit 1
match ip address NAT-62
!
route-map NAT-50 permit 1
match ip address NAT-50
!
route-map NAT-20 permit 1
match ip address NAT-20
!
route-map NAT-21 permit 1
match ip address NAT-21
!
route-map NAT-47 permit 1
match ip address NAT-47
!
route-map NAT-30 permit 1
match ip address NAT-30
!
route-map NAT-10 permit 1
match ip address NAT-10
!
route-map NAT-90 permit 1
match ip address NAT-90
!
route-map M2 permit 1
match ip address NAT
match interface Multilink2
!
^C
!
line con 0
line aux 0
login
modem InOut
modem autoconfigure type usr
transport input all
speed 115200
flowcontrol hardware
line vty 0 4
login
!
ntp clock-period 17180704
ntp server 132.163.4.101
end
router1#
Thanks for taking the time to look at my problem.
RoutersSSL / HTTPS
Last Comment
Kerem ERSOY
You need to permit port 443 to the 1.2.3.50 IP address
Hi,
I guess the problem is here:
permit udp any any eq 8443
You've included the access for port 8443 but you've specified UDP instead of TCP. As you know UDP is a connectionless protocol and not suitable for SSL communication between a client and server...
Cheers,
K.
I guess the problem is here:
permit udp any any eq 8443
You've included the access for port 8443 but you've specified UDP instead of TCP. As you know UDP is a connectionless protocol and not suitable for SSL communication between a client and server...
Cheers,
K.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I was close! Changing that line on the DSL acl to permit tcp any any eq 8443 was the fix. Thank you!!
You really were! May the telephone rang or there was another distraction.. I was just the second pair of eyes. You're welcome.