Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
5
Helpful
5
Replies

Cisco1760-NAT/PAT-smtp,http works; https(443)+ 603 does not work

Robert_Berger
Level 1
Level 1

‎07-22-2004 08:39 AM - edited ‎03-09-2019 08:09 AM

Hello Everybody

From Internet HTTP an SMTP works but HTTPs and some other Port with Static NAT doesn't?

(IPT removed)

!c1700-k9o3sv8y7-mz.123-8.T.bin

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

hostname cisco1760

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

no ip domain lookup

ip domain name mydom.at

no ip bootp server

ip cef

ip inspect name I_out cuseeme

ip inspect name I_out ftp

ip inspect name I_out h323

ip inspect name I_out netshow

ip inspect name I_out rcmd

ip inspect name I_out realaudio

ip inspect name I_out rtsp

ip inspect name I_out smtp

ip inspect name I_out sqlnet

ip inspect name I_out streamworks

ip inspect name I_out tftp

ip inspect name I_out tcp

ip inspect name I_out udp

ip inspect name I_out vdolive

ip inspect name I_out icmp

ip inspect name I_out http

ip inspect name I_in http

ip inspect name I_in smtp

ip inspect name I_in tcp

ip inspect name I_in udp

ip ips sdf location flash:my-signatures.sdf

ip ips po max-events 100

ip ips name sdm_ips_rule

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

interface Null0

no ip unreachables

interface Ethernet0/0

description $FW_OUTSIDE$$ETH-WAN$WAN xDSL 2048

ip address 80.x.x.18 255.255.255.240

ip access-group I_WAN in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect I_in in

ip inspect I_out out

ip ips sdm_ips_rule in

ip virtual-reassembly

ip route-cache flow

full-duplex

no cdp enable

crypto map SDM_CMAP_1

interface FastEthernet0/0

description $ETH-LAN$$FW_INSIDE$LAN

ip address 192.168.100.254 255.255.255.0

ip access-group I_LAN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

speed auto

no cdp enable

ip classless

ip route 0.0.0.0 0.0.0.0 80.x.x.17

ip http server

ip http access-class .

ip http authentication local

ip http secure-server

ip nat inside source route-map NAT-RMAP interface Ethernet0/0 overload

ip nat inside source static tcp 192.168.100.1 25 80.x.x.18 25 extendable

ip nat inside source static tcp 192.168.100.1 80 80.x.x.18 80 extendable

ip nat inside source static tcp 162.168.100.1 443 80.x.x.18 443 extendable

ip nat inside source static tcp 162.168.100.81 603 80.x.x.19 603 extendable

ip access-list extended I_LAN

permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq 22

permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq 443

permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq cmd

permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq 2000

deny ip 80.x.x.16 0.0.0.15 any log

deny ip host 255.255.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

permit udp any any eq domain

permit udp any any eq ntp

permit icmp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp host 192.168.100.1 any eq smtp

deny ip any any log

ip access-list extended I_WAN

permit udp host 192.5.41.209 eq ntp host 80.x.x.18 eq ntp

permit udp any eq domain host 80.x.x.18

permit tcp any host 80.x.x.18 eq smtp

permit tcp any host 80.x.x.18 eq www

permit tcp any host 80.x.x.18 eq 443

permit tcp any host 80.x.x.19 eq 603

deny ip any any log

ip access-list extended NO-NAT

deny ip 192.168.100.0 0.0.0.255 80.x.x.16 0.0.0.15

permit ip 192.168.100.0 0.0.0.255 any

no cdp run

route-map NAT-RMAP permit 10

match ip address NO-NAT

control-plane

end

Labels:
0 Helpful
5 Replies 5

umedryk
Level 5
Level 5

‎07-29-2004 12:18 PM

This may NOT be a problem with your configuration. Try re installing your SSL once.

0 Helpful

Robert_Berger
Level 1
Level 1
In response to umedryk

‎08-19-2004 12:03 AM

Everything does not help.

> I have now changed IOS to 12.3.8T3.

> ip http server

> ip http port 8000

> ip http access-class 1

> ip http authentication local

> ip http secure-server

> ip http secure-port 4433

so i have differend ports for local config.

Removing Accesslist and Inspects does also not work.

Some other idea ?

Thanks

0 Helpful

a.awan
Level 4
Level 4
In response to Robert_Berger

‎08-19-2004 12:44 AM

In your configuration you have:

ip nat inside source static tcp 162.168.100.1 443 80.x.x.18 443 extendable

ip nat inside source static tcp 162.168.100.81 603 80.x.x.19 603 extendable

I think it should be 192 instead of 162 and this is probably why you are unable to communicate with these ports.

Robert_Berger
Level 1
Level 1
In response to a.awan

‎08-19-2004 01:23 AM

Thank's a lot.

I have read the config i think 1000 time. But i was blind for so a simple mistake.

robert

0 Helpful

a.awan
Level 4
Level 4
In response to Robert_Berger

‎08-19-2004 01:37 AM

Happens man, have been blind to my own mistakes a few times and it is always a good idea to have it looked at by a fresh pair of eyes.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents