cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15283
Views
10
Helpful
6
Replies

Cisco 877w Port Forward 80 and 443 to internal server

lee.bridgewater
Level 1
Level 1

Hello,

I'm new to the Cisco world and have so far got internet and VPN working (without SDM) using the IOS commands.

I have hit a stubling block with port forwarding ports 80 (http) and 443 (https) to my small business server for outlook web access.

Could someone kindly look over my running config below and point me in the right direction?

I need to forward port 80 and 442 to internal LAN server 192.168.10.1

The Cisco 877 has a local IP address of 192.168.10.254

Many thanks in advance.

<Running Config>

Building configuration...

Current configuration : 8435 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service internal

service sequence-numbers

no service dhcp

!

hostname xxxxx

!

boot-start-marker

boot-end-marker

!

logging buffered 10240 debugging

logging console critical

enable secret 5 $1$VdLO$6X5lAbsC8AlnUdormjzsm1

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login userlist local

aaa authentication ppp default local

aaa authorization network grouplist local

!

aaa session-id common

!

resource policy

!

clock timezone gmt 0

clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00

no ip source-route

ip cef

!

!

!

!

ip tcp selective-ack

ip tcp timestamp

no ip bootp server

no ip domain lookup

ip domain name local

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall cuseeme

ip inspect name firewall h323

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall streamworks

ip inspect name firewall vdolive

ip inspect name firewall sqlnet

ip inspect name firewall tftp

ip inspect name firewall ftp

ip inspect name firewall icmp

ip inspect name firewall sip

ip inspect name firewall esmtp max-data 52428800

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall netshow

ip inspect name firewall rtsp

ip inspect name firewall pptp

ip inspect name firewall skinny

ip ips name intrusion list 3

!

!

!

file verify auto

username xxxxx password xxxxx

username xxxxx password xxxxx

username xxxxx password xxxxx

username xxxxx privilege 15 secret xxxxxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxx address xxxxx no-xauth

crypto isakmp key xxxxx address xxxxx no-xauth

!

crypto isakmp client configuration group kenilworth

key xxxxx

domain local

pool vpnclients

acl 106

!

!

crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac

crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac

crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac

crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac

!

crypto dynamic-map vpnusers 1

description Client to Site VPN Users

set transform-set tr-aes-sha

!

!

crypto map cm-cryptomap client authentication list userlist

crypto map cm-cryptomap isakmp authorization list grouplist

crypto map cm-cryptomap client configuration address respond

crypto map cm-cryptomap 110 ipsec-isakmp

set peer xxxxx

set peer xxxxx

set transform-set tr-aes-sha

match address 110

crypto map cm-cryptomap 65000 ipsec-isakmp dynamic vpnusers

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

dsl noise-margin 3

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

!

interface Vlan1

ip address 192.168.10.254 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip access-group 101 in

no ip redirects

no ip unreachables

ip nat outside

ip inspect firewall out

ip ips intrusion in

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxxxx

ppp chap password xxxxx

ppp pap sent-username xxxxx password xxxxx

ppp ipcp dns request

ppp ipcp route default

crypto map cm-cryptomap

!

ip local pool vpnclients 192.168.240.1 192.168.240.254

!

!

no ip http server

no ip http secure-server

ip nat inside source list 105 interface Dialer0 overload

ip nat inside source static tcp 192.168.10.1 80 interface Dialer0 80

ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443

!

access-list 1 remark The local LAN.

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 2 permit xxxxxx

access-list 2 permit 203.97.50.97

access-list 2 remark Where management can be done from.

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 3 remark Traffic not to check for intrustion detection.

access-list 3 deny   192.168.1.0 0.0.0.255

access-list 3 deny   192.168.240.0 0.0.0.255

access-list 3 permit any

access-list 101 remark Traffic allowed to enter the router from the Internet

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 deny   ip 0.0.0.0 0.255.255.255 any

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 169.254.0.0 0.0.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.0.2.0 0.0.0.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 198.18.0.0 0.1.255.255 any

access-list 101 deny   ip 224.0.0.0 0.15.255.255 any

access-list 101 deny   ip any host 255.255.255.255

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit tcp any any eq 1723

access-list 101 permit gre any any

access-list 101 permit tcp any any eq 22

access-list 101 permit tcp any any eq telnet

access-list 101 deny   icmp any any echo

access-list 101 deny   ip any any log

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 remark Traffic allowed to enter the router from the Internet

access-list 102 remark Traffic allowed to enter the router from the Ethernet

access-list 102 permit ip any host 192.168.10.254

access-list 102 deny   ip any host 192.168.10.255

access-list 102 deny   udp any any eq tftp log

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255

access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log

access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log

access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log

access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log

access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log

access-list 102 deny   udp any any eq 135 log

access-list 102 deny   tcp any any eq 135 log

access-list 102 deny   udp any any eq netbios-ns log

access-list 102 deny   udp any any eq netbios-dgm log

access-list 102 deny   tcp any any eq 445 log

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 permit ip any host 255.255.255.255

access-list 102 deny   ip any any log

access-list 102 remark Traffic allowed to enter the router from the Ethernet

access-list 105 remark Traffic to NAT

access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255

access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 105 permit ip 192.168.10.0 0.0.0.255 any

access-list 105 remark Traffic to NAT

access-list 106 remark User to Site VPN Clients

access-list 106 permit ip 192.168.10.0 0.0.0.255 any

access-list 106 remark User to Site VPN Clients

access-list 110 remark Site to Site VPN

access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny   ip 192.168.10.0 0.0.0.255 any

access-list 110 remark Site to Site VPN

dialer-list 1 protocol ip permit

!

!

<End Running Config>

6 Replies 6

Gautam Renjen
Cisco Employee
Cisco Employee

The ACL applied inbound on the Dialer interface to permit those two ports, is placed after deny ip any any.

----

access-list 101 deny   ip any any log

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

---

Please shift deny ip any any to the end.

Also, if you want access to these servers over NAT, and even regular end users in your lan to be able to access resources over the vpn hosted on remote sites, you need to call a route-map in your nat statements, which calls an ACL, which denies local - remote traffic so it doesn't get natted, and you permit the rest (remember to not use permit ip any any in nat acl).

For example:

ip access-list extended NATACL

  deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

  deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.31.255.255

  deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

  permit ip 192.168.10.0 0.0.255.255 any

route-map NATMAP

match ip address NATACL

Remove these first:

---

ip nat inside source list 105 interface Dialer0 overload

ip nat inside source static tcp 192.168.10.1 80 interface Dialer0 80

ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443

---

Then:

----

ip nat inside source route-map NATMAP interface Dialer0 overload

ip nat inside source static tcp 192.168.10.1 80 interface Dialer0 80 route-map NATMAP

ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443 route-map NATMAP

------

If the static NAT statements don't allow you to use route-map after dialer 0 80/443, then you can change that to the public ip you have , which should be static and known to you. I see you have ppp autoneg, and hope that you it gives you the same IP everytime.

Hi Gautman, many thanks for your reply!

If I telnet onto the cisco router and enter config terminal mode how can I shift the entry for www and https up?

I entered the entry by just typing it in conf terminal mode which is why I guess it ended up in the wrong place!

Many thanks in advance

Lee

Lee,

To modify ACLs, get a listing of the ACL to check the line numbers. Then go into ACL config mode and make changes.

In your case, line 200 is not needed as 210 denies all IP packets anyways (icmp goes over IP). So I removed 200 and 210, then added 210 back as 240, so that it appears after the last permit statement. Then I resequenced this ACL to start numbering the first statement from 10 and increment each sequence number by 10.

I'll show how it's done in your case:

-----

R1#show ip access-list 101

Extended IP access list 101

    10 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

    20 permit ip 192.168.240.0 0.0.0.255 192.168.10.0 0.0.0.255

    30 deny ip 0.0.0.0 0.255.255.255 any

    40 deny ip 10.0.0.0 0.255.255.255 any

    50 deny ip 127.0.0.0 0.255.255.255 any

    60 deny ip 169.254.0.0 0.0.255.255 any

    70 deny ip 172.16.0.0 0.15.255.255 any

    80 deny ip 192.0.2.0 0.0.0.255 any

    90 deny ip 192.168.0.0 0.0.255.255 any

    100 deny ip 198.18.0.0 0.1.255.255 any

    110 deny ip 224.0.0.0 0.15.255.255 any

    120 deny ip any host 255.255.255.255

    130 permit udp any any eq non500-isakmp

    140 permit udp any any eq isakmp

    150 permit esp any any

    160 permit tcp any any eq 1723

    170 permit gre any any

    180 permit tcp any any eq 22

    190 permit tcp any any eq telnet

    200 deny icmp any any echo

    210 deny ip any any log

    220 permit tcp any any eq www

    230 permit tcp any any eq 443

R1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#ip access-list extended 101

R1(config-ext-nacl)#no 200

R1(config-ext-nacl)#no 210

R1(config-ext-nacl)#240 deny ip any any log

R1(config-ext-nacl)#exit

R1(config)#ip access-list resequence 101 10 10

R1(config)#end

R1#show access-list 101

Extended IP access list 101

    10 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

    20 permit ip 192.168.240.0 0.0.0.255 192.168.10.0 0.0.0.255

    30 deny ip 0.0.0.0 0.255.255.255 any

    40 deny ip 10.0.0.0 0.255.255.255 any

    50 deny ip 127.0.0.0 0.255.255.255 any

    60 deny ip 169.254.0.0 0.0.255.255 any

    70 deny ip 172.16.0.0 0.15.255.255 any

    80 deny ip 192.0.2.0 0.0.0.255 any

    90 deny ip 192.168.0.0 0.0.255.255 any

    100 deny ip 198.18.0.0 0.1.255.255 any

    110 deny ip 224.0.0.0 0.15.255.255 any

    120 deny ip any host 255.255.255.255

    130 permit udp any any eq non500-isakmp

    140 permit udp any any eq isakmp

    150 permit esp any any

    160 permit tcp any any eq 1723

    170 permit gre any any

    180 permit tcp any any eq 22

    190 permit tcp any any eq telnet

    200 permit tcp any any eq www

    210 permit tcp any any eq 443

    220 deny ip any any log

R1#

---------

Hello Gautam,

Thank you for this valuable information.

I have carried out your instructions above, however when I entered 240 deny ip any any log I received an error saying that cannot create duplicate entry so I entered it back as 250 then re-sequenced.

The show access-list 101 now shows the following:

R1W#show access-list 101

Extended IP access list 101

    10 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

    20 permit ip 192.168.240.0 0.0.0.255 192.168.10.0 0.0.0.255

    30 deny ip 0.0.0.0 0.255.255.255 any

    40 deny ip 10.0.0.0 0.255.255.255 any

    50 deny ip 127.0.0.0 0.255.255.255 any

    60 deny ip 169.254.0.0 0.0.255.255 any

    70 deny ip 172.16.0.0 0.15.255.255 any

    80 deny ip 192.0.2.0 0.0.0.255 any

    90 deny ip 192.168.0.0 0.0.255.255 any

    100 deny ip 198.18.0.0 0.1.255.255 any

    110 deny ip 224.0.0.0 0.15.255.255 any

    120 deny ip any host 255.255.255.255

    130 permit udp any any eq non500-isakmp (862 matches)

    140 permit udp any any eq isakmp (88 matches)

    150 permit esp any any (17460 matches)

    160 permit tcp any any eq 1723

    170 permit gre any any

    180 permit tcp any any eq 22 (830 matches)

    190 permit tcp any any eq telnet (682 matches)

    200 permit tcp any any eq www (9 matches)

    210 permit tcp any any eq 443 (20 matches)

    220 permit tcp any any eq chargen

    230 deny ip any any log

R1#

The problem is that port 80 or 443 are still not getting through to the internal server (192.168.10.1) so exchange web access for the iphone using port 80 and 443 still don't work.

I didn't implement the NATACL route map suggestions, just shifted the deny IP as directed above, could this be why?

Am I doing something wrong?

Many thanks in advance

Lee

1. Allow the two ports explicitly in the inbound ACL applied on the inside interface. This is to see if we see matches, which will prove that the return packets are seen entering the router.

---

conf t

ip access-list ext 102

    1 permit tcp host 192.168.10.1 eq 80 any

    2. permit tcp host 192.168.10.1 eq 443 any

  exit

---

2. You can also add  another ACL, as below, to see if packets leave the router towards the servers.

----

conf t

ip access-list ext vlan1.out

   permit tcp any host 192.168.10.1 eq 80

   permit tcp any host 192.168.10.1 eq 443

   permit ip any any

int vlan 1

  ip access-group vlan1.out out

exit

----

3. You can use this ACL to see if packets for these translations leave the router towards the internet:

---

conf t

  ip access-list ext dialer.out

    permit tcp any eq 80 any

    permit tcp any eq 443 any

    permit ip any any

int Dialer0

   ip access-group dialer.out out

exit

---

4. Now try to access the servers from the outside (internet), and send the output as follows:

show access-list 101

show access-list vlan1.out

show access-list 102

show access-list dialer.out

show ip nat trans | i 192.168.10.1|Pro

---

Please tell me the public IP of the machine (client) from which you were trying to access these servers, and the public ip assigned to your router's Dialer0.

Hi Gautam, I have just sent you a DM with those outputs for security reasons.

Many thanks

Lee

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco