07-22-2004 08:39 AM - edited 03-09-2019 08:09 AM
Hello Everybody
From Internet HTTP an SMTP works but HTTPs and some other Port with Static NAT doesn't?
(IPT removed)
!c1700-k9o3sv8y7-mz.123-8.T.bin
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
hostname cisco1760
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
no ip domain lookup
ip domain name mydom.at
no ip bootp server
ip cef
ip inspect name I_out cuseeme
ip inspect name I_out ftp
ip inspect name I_out h323
ip inspect name I_out netshow
ip inspect name I_out rcmd
ip inspect name I_out realaudio
ip inspect name I_out rtsp
ip inspect name I_out smtp
ip inspect name I_out sqlnet
ip inspect name I_out streamworks
ip inspect name I_out tftp
ip inspect name I_out tcp
ip inspect name I_out udp
ip inspect name I_out vdolive
ip inspect name I_out icmp
ip inspect name I_out http
ip inspect name I_in http
ip inspect name I_in smtp
ip inspect name I_in tcp
ip inspect name I_in udp
ip ips sdf location flash:my-signatures.sdf
ip ips po max-events 100
ip ips name sdm_ips_rule
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
interface Null0
no ip unreachables
interface Ethernet0/0
description $FW_OUTSIDE$$ETH-WAN$WAN xDSL 2048
ip address 80.x.x.18 255.255.255.240
ip access-group I_WAN in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect I_in in
ip inspect I_out out
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
full-duplex
no cdp enable
crypto map SDM_CMAP_1
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$LAN
ip address 192.168.100.254 255.255.255.0
ip access-group I_LAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
no cdp enable
ip classless
ip route 0.0.0.0 0.0.0.0 80.x.x.17
ip http server
ip http access-class .
ip http authentication local
ip http secure-server
ip nat inside source route-map NAT-RMAP interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.100.1 25 80.x.x.18 25 extendable
ip nat inside source static tcp 192.168.100.1 80 80.x.x.18 80 extendable
ip nat inside source static tcp 162.168.100.1 443 80.x.x.18 443 extendable
ip nat inside source static tcp 162.168.100.81 603 80.x.x.19 603 extendable
ip access-list extended I_LAN
permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq 22
permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq 443
permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq cmd
permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq 2000
deny ip 80.x.x.16 0.0.0.15 any log
deny ip host 255.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
permit udp any any eq domain
permit udp any any eq ntp
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp host 192.168.100.1 any eq smtp
deny ip any any log
ip access-list extended I_WAN
permit udp host 192.5.41.209 eq ntp host 80.x.x.18 eq ntp
permit udp any eq domain host 80.x.x.18
permit tcp any host 80.x.x.18 eq smtp
permit tcp any host 80.x.x.18 eq www
permit tcp any host 80.x.x.18 eq 443
permit tcp any host 80.x.x.19 eq 603
deny ip any any log
ip access-list extended NO-NAT
deny ip 192.168.100.0 0.0.0.255 80.x.x.16 0.0.0.15
permit ip 192.168.100.0 0.0.0.255 any
no cdp run
route-map NAT-RMAP permit 10
match ip address NO-NAT
control-plane
end
07-29-2004 12:18 PM
This may NOT be a problem with your configuration. Try re installing your SSL once.
08-19-2004 12:03 AM
Everything does not help.
> I have now changed IOS to 12.3.8T3.
> ip http server
> ip http port 8000
> ip http access-class 1
> ip http authentication local
> ip http secure-server
> ip http secure-port 4433
so i have differend ports for local config.
Removing Accesslist and Inspects does also not work.
Some other idea ?
Thanks
08-19-2004 12:44 AM
In your configuration you have:
ip nat inside source static tcp 162.168.100.1 443 80.x.x.18 443 extendable
ip nat inside source static tcp 162.168.100.81 603 80.x.x.19 603 extendable
I think it should be 192 instead of 162 and this is probably why you are unable to communicate with these ports.
08-19-2004 01:23 AM
Thank's a lot.
I have read the config i think 1000 time. But i was blind for so a simple mistake.
robert
08-19-2004 01:37 AM
Happens man, have been blind to my own mistakes a few times and it is always a good idea to have it looked at by a fresh pair of eyes.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: