topic Re: Thats it: too stupid to configure port forwarding on IOS FW in Network Security

Thats it: too stupid to configure port forwarding on IOS FW DMZ

kmmehlkmmehl — Mon, 11 Mar 2019 18:28:48 GMT

Ok thats it. I am now 6 hours overtime in the office and i cannot get it to work.

I have this:

SG-BN001#sh zone security

zone self

Description: System defined zone

zone out-zone

Member Interfaces:

GigabitEthernet0/1.1

GigabitEthernet0/1.2

zone in-zone

Member Interfaces:

Tunnel0

Tunnel1

GigabitEthernet0/0.1

GigabitEthernet0/0.2

GigabitEthernet0/0.5

Virtual-Template1

SSLVPN-VIF0

zone dmz-zone

Member Interfaces:

GigabitEthernet0/0.3

I have in the DMZ a Server. I want to access Port 8080 and Port 8443

I cant get it to work!

i have some other servers in the DMZ working with port forwarding

I use CCP -> i create rule on the OUT to DMZ Zone.

I use an object group, add this server, create custom ports for it add them and... no it isnt working!

Even when i allow IP for ALL DMZ Machine, i can only connect to port 8080. I never could connect ever to the second port the same time.

is it me? am i too stupid?

Using 2800x with 12.4

Re: Thats it: too stupid to configure port forwarding on IOS FW

Kureli Sankar — Fri, 20 Aug 2010 21:49:12 GMT

Does your NAT config look ok? for port 8443 to this server in the dmz.

Unfortunatley is section of the config that you posted is not enough to find out what might be going on.

issue

conf t

ip inspect log drop

then try the connection and see what the logs says.

-KS

Re: Thats it: too stupid to configure port forwarding on IOS FW

kmmehlkmmehl — Fri, 20 Aug 2010 22:17:29 GMT

Hmm i did but my connection doesnt show up.

well i just added IP to inspect ANY ANY on the OUT - TO - DMZ ZONE

then 8080 is working

but

8443 not

i cant understand this

my dmz interfaces are NAT INSIDE

but removing NAT doesnt change anything

Re: Thats it: too stupid to configure port forwarding on IOS FW

Kureli Sankar — Fri, 20 Aug 2010 22:38:21 GMT

what does your "sh run | i nat" output look like?

Do you have translation for 8443?

-KS

Re: Thats it: too stupid to configure port forwarding on IOS FW

kmmehlkmmehl — Fri, 20 Aug 2010 22:39:45 GMT

some screenshots... i am totally lost

Re: Thats it: too stupid to configure port forwarding on IOS FW

kmmehlkmmehl — Fri, 20 Aug 2010 22:41:41 GMT

no translation. also when i try 8081 8082 etc this is ALSO not working!

8080 is the only one that works..

😕

Re: Thats it: too stupid to configure port forwarding on IOS FW

Kureli Sankar — Sat, 21 Aug 2010 23:36:34 GMT

Are you sure this works internally? Meaning if you load the page from the inside or on a compuer on the dmz does it work? I just want to make sure that the dmz host is listening on these ports.

http://x.x.xx:8443

http://x.x.xx:8081

http://x.x.xx:8082

-KS

Re: Thats it: too stupid to configure port forwarding on IOS FW

kmmehlkmmehl — Sun, 22 Aug 2010 15:20:14 GMT

Well thanks for your help kusan..... actually i fixed it.

THe Problem was i think that there was no access-group on the interfaces

i made access lists ip any any and applied them to the interfaces

AFTER THAT everything worked like i configured it in CCP

i have no idea why.. but now its working!