07-28-2022 01:43 AM
I have following acl's on my router. I want to ping remote location 202.165.40.65 with port 443 but i am unable to do so. remote location will only allow traffic from my IP (119.65.22.32 and port 443). all other ports are block at remote location. Currently i am receiving traffic from 119.65.22.32 on ports 476,475,531,532 etc but not from 443.
any help
My Ip address: 119.65.22.32
Remote ip address: 202.165.40.65
1. ip access-list extended GigabitEthernet0/1 (this is my interface with ip 119.65.22.32)
this acl has no entry but i still put entry of these
permit tcp host 202.165.40.65 any eq 443
permit tcp host 202.165.40.65 any eq 443
permit udp host 202.165.40.65 any eq 443
permit udp host 202.165.40.65 any eq 443
2. ip access-list extended NAT-OUT-IN
ip nat outside source list NAT-OUT-IN pool POOL-OUT-IN
ip nat pool POOL-OUT-IN 10.10.0.0 10.10.255.255 prefix-length 16
this acl does not have anything to do with remote ip
3. ip access-list extended firewall
this acl was empty but i still put these entries in it
permit tcp host 202.165.40.65 any eq 443
permit tcp host 202.165.40.65 any eq 443
permit udp host 202.165.40.65 any eq 443
permit udp host 202.165.40.65 any eq 443
4. ip access-list extended mynat
this acl is for my lan computers
what i should do ?????. how to ping remote location with 443 port and got positive response. i am not blocking anything.
07-28-2022 01:49 AM - edited 07-28-2022 01:50 AM
First the icmp is l3 protocol dont have l4 port.
Second try telnet and use port
The remote will give you open if port 443 is allow in his router.
07-28-2022 02:11 AM
07-28-2022 02:33 AM
Are you run http server in your route?
443 port also use for http server.
08-01-2022 11:28 PM - edited 08-01-2022 11:29 PM
i have following configuration also
no ip http server
ip http port 8080
ip http authentication local
no ip http secure-server
i had put no in front of
ip http port 8080
ip http authentication local
but no use
08-02-2022 05:59 AM
In which acl do i have to write this
permit tcp any host 207.67.74.157 eq 443 <<- forward traffic
permit tcp host 207.67.74.157 eq 443 any <<- return traffic
Router#sh ip access-lists
Extended IP access list GigabitEthernet0/1
40 permit tcp any any eq 443
Extended IP access list NAT-OUT-IN
10 permit tcp any host 110.36.216.82 eq 1689
Extended IP access list firewall
10 permit tcp host 182.180.123.154 any eq 22
Extended IP access list mynat
60 permit ip 10.20.1.0 0.0.0.255 any (14120261 matches)
08-02-2022 06:08 AM
In which acl do i have to write this
permit tcp any host 207.67.74.157 eq 443 <<- forward traffic
permit tcp host 207.67.74.157 eq 443 any <<- return traffic
Router#sh ip access-lists
Extended IP access list GigabitEthernet0/1
40 permit tcp any any eq 443
Extended IP access list NAT-OUT-IN
10 permit tcp any host 110.36.216.82 eq 1689
Extended IP access list firewall
10 permit tcp host 182.180.123.154 any eq 22
Extended IP access list mynat
60 permit ip 10.20.1.0 0.0.0.255 any (14120261 matches)
07-28-2022 03:48 PM
"I want to ping remote location 202.165.40.65 with port 443 . . ."
Port 443 is used by TCP. While ping use IGMP. I.e. if IGMP ping requests are blocked, you're not going to be able to, by default, ping another host.
Further even if ping used TCP, sending any TCP traffic on any "unexpected" port on the host, the host will discard the packet.
If the blockage is on an ACL on a router you control, you might provide ACL ACEs that permit ping request and/or reply.
e.g. https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#anc13
08-02-2022 12:57 AM
I have following configuration
version 15.4!
key chain eigrp_keys
track 1 interface Tunnel2 line-protocol
track 6 ip sla 6 reachability
(Different track commands)
crypto isakmp policy 100!
interface Loopback1
no ip address
!
interface Tunnel1
bandwidth 1602
ip address 10.2.1.254 255.255.255.0
tunnel source GigabitEthernet0/1
!
interface Tunnel2
bandwidth 1602
ip address 10.2.2.254 255.255.255.0
no ip redirects
tunnel source GigabitEthernet0/1
!
interface GigabitEthernet0/1
ip address 214.189.74.51 255.255.255.248
ip mtu 1492
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 10.20.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
router eigrp 10
network 10.2.1.0 0.0.0.255
router eigrp 2
network 10.2.2.0 0.0.0.255
no ip http server
ip http port 8080
ip http authentication local
no ip http secure-server
!
ip dns server
ip nat pool POOL-OUT-IN 10.50.0.0 10.50.255.255 prefix-length 16
ip nat inside source list mynat interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.20.1.11 80 interface GigabitEthernet0/1 81
ip nat inside source static tcp 10.20.1.12 1521 interface GigabitEthernet0/1 121
ip nat outside source list NAT-OUT-IN pool POOL-OUT-IN
ip route 10.20.1.11 (Internal network) 255.255.255.0 10.20.1.249 (To layer 3 switch) track 6
ip route 0.0.0.0 0.0.0.0 214.189.74.51
ip tacacs source-interface Vlan1
!
ip access-list extended GigabitEthernet0/1
permit tcp any host 207.67.74.157 eq 443
permit udp host 207.67.74.157 any eq 443
permit udp host 63.91.129.157 any eq 443
permit tcp any any eq 443
ip access-list extended NAT-OUT-IN
permit tcp any host 63.91.129.157 eq 443
permit tcp any host 207.67.74.157 eq 443
permit udp any host 63.91.129.157 eq 443
permit udp any host 207.67.74.157 eq 443
permit tcp any any eq 443
ip access-list extended firewall
permit tcp host 207.67.74.157 any eq 443
permit tcp host 63.91.129.157 any eq 443
permit udp host 207.67.74.157 any eq 443
permit udp host 63.91.129.157 any eq 443
permit tcp any any eq 443
ip access-list extended mynat
deny ip any 10.20.1.0 0.0.0.255
deny ip host 10.20.1.19 any
deny ip 172.12.20.0 0.0.0.255 172.12.20.0 0.0.0.255
deny ip 172.12.20.0 0.0.0.255 172.18.20.0 0.0.0.255
deny tcp host 172.12.20.102 eq 1521 any
permit ip 10.20.1.0 0.0.0.255 any
permit ip 172.20.41.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 172.20.12.0 0.0.0.255 any
Router# traceroute 63.91.129.157 port 443
Type escape sequence to abort.
Tracing the route to user157.temgdwdp.com (63.91.129.157)
VRF info: (vrf in name/id, vrf out name/id)
1 119.159.230.54 0 msec 0 msec 0 msec
2 221.120.221.65 4 msec 4 msec 4 msec
3 221.120.221.18 4 msec 0 msec 4 msec
4 221.120.221.57 4 msec 4 msec 4 msec
5 10.253.8.38 0 msec 0 msec 4 msec
6 10.253.4.36 20 msec
10.253.4.16 16 msec 20 msec
7 10.253.4.4 16 msec 20 msec 20 msec
8 Frankfurt-MX80.incapsula.com (80.81.193.87) 140 msec 144 msec 144 msec
9 * * *
10 * * *
11 * *
Unable to open 443
08-02-2022 01:53 AM - edited 08-02-2022 06:42 AM
I will analysis the config tonight, If I get some thing I will update you
08-03-2022 05:41 AM
Sir
Did you find the time to review the configuration.
08-03-2022 06:19 AM
Yes I start review what I dont get
interface GigabitEthernet0/1
ip address 214.189.74.51 255.255.255.248
ip mtu 1492
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip access-list extended GigabitEthernet0/1 <- this must apply to this interface but I dont see ip access-group
permit tcp any host 207.67.74.157 eq 443
permit udp host 207.67.74.157 any eq 443
permit udp host 63.91.129.157 any eq 443
permit tcp any any eq 443
second
ip access-list extended firewall <<<- what you meaning firewall here ??
permit tcp host 207.67.74.157 any eq 443
permit tcp host 63.91.129.157 any eq 443
permit udp host 207.67.74.157 any eq 443
permit udp host 63.91.129.157 any eq 443
permit tcp any any eq 443
08-02-2022 07:38 AM
How and/or where are you invoking those ACLs?
08-02-2022 11:43 PM
That's all the configuration in router. i don't have any other device attached. check the configuration again and suggest me something.
thanks
08-07-2022 11:52 AM
Are this issue solved or not ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide