10-06-2015 07:59 PM - edited 03-11-2019 11:42 PM
Hi guys,
I am new to this group. I have a question and believe it is related to the firewall. I need 443 routed internally. The connection is working with 80 but not 443. Please check the picture attached.
The command existing in the firewall is
access-list OUTSIDE_IN line 10 extended permit tcp any4 host 172.20.40.1 eq www
I gave the following command but its not working
access-list OUTSIDE_IN line 40 extended permit tcp any4 host 172.20.40.1 eq https
sh access-list | i 172.20.40.1
access-list OUTSIDE_IN line 10 extended permit tcp any4 host 172.20.40.1 eq www (hitcnt=1424566) 0x9f3fd44a
access-list OUTSIDE_IN line 40 extended permit tcp any4 host 172.20.40.1 eq https (hitcnt=0) 0xa89e875a
Kindly help. thanks in advance
BR,
Venkat
Solved! Go to Solution.
10-07-2015 08:41 PM
Hi Venkat,
Please provide following information:
1: Is there any deny ACL above line40 which might be blocking TCP/443 traffic?
2: Can you run packet-tracer and share your findings.
Will wait for your update.
Thanks,
R.Seth
10-06-2015 08:55 PM
Hello Venkat,
By any means did you added also the needed nat ?
Try adding the nat that may be missing
Also try running a packet tracer from the outside to see what could be the root cause
Regards,
Rodrigo
10-07-2015 12:23 PM
Hello Rodrigo,
Please see below
sh run | i obj-122.56.11.165
object network obj-122.56.11.165
nat (FrontIPS_Outside,outside) source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (FrontIPS_Outside,outside) source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-443 obj-tcp-source-eq-443
thmasa1f# sh run | b object network obj-122.56.11.165
object network obj-122.56.11.165
host 122.56.11.165
object service obj-tcp-source-eq-80
service tcp source eq www
object service obj-tcp-source-eq-443
service tcp source eq https
10-07-2015 07:47 PM
Hello Venkat,
The configuration seems good but I can't see if the Nat may be hitting a source dynamic first that may be dropping the traffic
Try the next command on the next order to discard that possibility
no nat (FrontIPS_Outside,outside) source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-443 obj-tcp-source-eq-443
nat (FrontIPS_Outside,outside) 1 source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-443 obj-tcp-source-eq-443
Let me know the results
Regards,
Rodrigo
10-07-2015 07:57 PM
Hello Rodrigo,
It is still the same. No luck
access-list OUTSIDE_IN line 40 extended permit tcp any4 host 172.20.40.1 eq https (hitcnt=0)
Br,
Venkat
10-07-2015 08:41 PM
Hi Venkat,
Please provide following information:
1: Is there any deny ACL above line40 which might be blocking TCP/443 traffic?
2: Can you run packet-tracer and share your findings.
Will wait for your update.
Thanks,
R.Seth
10-07-2015 09:31 PM
Hello Rodrigo and Rishabh,
The connectivity is working now. The https statement was after the deny statement. After changing, it started working. Thanks a lot.
Br,
Venkat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide