HTTPS/SSL/PPPoE Issue

offlinetn · ‎03-16-2006

We are currently running a Windows SBS 2003 w/ exchange & IIS server. Our Cisco 831 is connected to our ADSL provider with PPPoE. Our IIS server is behind the Cisco IOS's NAT and Firewall. I can view regular HTTP pages from the internet but I cannot view any HTTPS pages. Here is a copy of most of my config. Any help would be greatly appreciated. Thanks!

aaa authentication login default local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip source-route

no ip domain lookup

ip domain name router.thetruck.com

ip name-server!

!

no ip bootp server

ip inspect audit-trail

ip inspect name IOSFW ftp

ip inspect name IOSFW h323

ip inspect name IOSFW http audit-trail off

ip inspect name IOSFW tcp

ip inspect name IOSFW smtp

ip inspect name IOSFW udp

ip audit attack action alarm drop reset

ip audit po max-events 100

ip audit protected

ip audit protected 192.168.100.1 to 192.168.100.254

ip audit protected 192.168.101.1 to 192.168.101.254

ip audit smtp spam 30

ip audit name ARFW info action alarm

ip audit name ARFW attack action alarm drop reset

ip ssh time-out 60

vpdn enable

vpdn logging

!

vpdn-group 1

request-dialin

protocol pppoe

ip mtu adjust

!

no ftp-server write-enable

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address 172.x.x.1

crypto isakmp key xxxx address 172.x.x.3

!

crypto isakmp client configuration group thetruck

key cisco123

dns 192.168.100.20 192.168.100.21

wins 192.168.100.20

domain thetruck.local

pool ippool

acl 160

!

crypto ipsec transform-set thetruck.com esp-des

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map btdynamic 10

set transform-set myset

!

crypto map thetruck.com1 local-address Dialer1

crypto map thetruck.com1 client authentication list default

crypto map thetruck.com1 isakmp authorization list groupauthor

crypto map thetruck.com1 client configuration address respond

crypto map thetruck.com1 100 ipsec-isakmp

set peer 172.172.172.1

set transform-set thetruck.com

match address 100

crypto map thetruck.com1 101 ipsec-isakmp

set peer 172.172.172.3

set transform-set thetruck.com

match address 101

crypto map thetruck.com1 102 ipsec-isakmp dynamic btdynamic

!

interface Ethernet0

ip address 192.168.100.1 255.255.255.0

ip access-group 150 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip inspect IOSFW in

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface Ethernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip audit ARFW in

no ip mroute-cache

duplex auto

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Dialer1

mtu 1492

ip address xxx.xxx.xxx.xxx 255.255.255.252

ip access-group 151 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip audit ARFW in

encapsulation ppp

ip tcp adjust-mss 1300

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxx password xxx

crypto map thetruck.com1

!

ip local pool ippool 192.168.101.2 192.168.101.254

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.50.0 255.255.255.0 Dialer1

ip route 192.168.101.0 255.255.255.0 Dialer1

ip route 192.168.200.0 255.255.255.0 Dialer1

no ip http server

no ip http secure-server

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 192.168.100.20 80 interface Dialer1 80

ip nat inside source static tcp 192.168.100.20 443 interface Dialer1 443

ip nat inside source static tcp 192.168.100.20 444 interface Dialer1 444

ip nat inside source static tcp 192.168.100.20 25 interface Dialer1 25

Richard Burts · ‎03-16-2006

Chris

Your config references several access lists that might affect what is happening (100, 101, 150, and 160). But none of these access lists are included in what you posted. Can you post at least these access lists?

HTH

Rick

HTH

Rick

offlinetn · ‎03-16-2006

Here they are... THANKS!

ip access-list extended tty0

logging trap debugging

logging 192.168.100.50

access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 100 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 102 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 192.168.0.0 0.0.255.255 any

access-list 150 permit ip 192.168.0.0 0.0.255.255 any

access-list 150 deny ip any any log

access-list 151 permit icmp any any

access-list 151 permit tcp any host xxx.xxx.xxx.xxx eq smtp

access-list 151 permit tcp any host xxx.xxx.xxx.xxx eq 22 log

access-list 151 permit tcp any host xxx.xxx.xxx.xxx eq www

access-list 151 permit tcp any host xxx.xxx.xxx.xxx eq 443

access-list 151 permit tcp any host xxx.xxx.xxx.xxx eq 444

access-list 151 permit ip host 172.172.172.1 host xxx.xxx.xxx.xxx

access-list 151 permit ip host 172.172.172.3 host xxx.xxx.xxx.xxx

access-list 151 permit udp any host xxx.xxx.xxx.xxx eq isakmp log

access-list 151 permit esp any host xxx.xxx.xxx.xxx log

access-list 151 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 151 permit udp any host xxx.xxx.xxx.xxx eq isakmp

access-list 151 permit udp any host xxx.xxx.xxx.xxx eq non500-isakmp

access-list 151 permit ahp any host xxx.xxx.xxx.xxx

access-list 151 deny ip any any log

access-list 160 permit ip 192.168.0.0 0.0.255.255 any

dialer-list 1 protocol ip permit

no cdp run