Solved: "Opening" Up ports 443 and 80

Eddie.brown1986 · ‎07-19-2013

Hello Folks,

I have a webserver hosting remote desktop on my LAN. I am in need of allowing inbound traffic to be able to access my web server.

I have already put into place a few access lists in preparation to allow the traffic on the interface. I am just worried that when I apply these access lists to the interface it is going to break my configuration. I only have remote access to this device because well it is 10 000kms away.

here is the relevant router config:

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description External Interface

ip address 81.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Internal Interface

no ip address

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1.20

description Vlan20 Trunk

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.30

encapsulation dot1Q 30

ip address 192.168.30.1 255.255.255.0

!

interface GigabitEthernet0/1.40

encapsulation dot1Q 40

ip address 10.10.10.1 255.255.255.128

!

interface GigabitEthernet0/1.99

description Vlan99 Trunk

encapsulation dot1Q 99

ip address 192.168.99.1 255.255.255.0

!

interface FastEthernet0/0/0

no ip address

!

interface FastEthernet0/0/1

no ip address

!

interface FastEthernet0/0/2

no ip address

!

interface FastEthernet0/0/3

no ip address

!

interface Vlan1

no ip address

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool GMRA 81.85.23.210 81.x.x.x prefix-length 30

ip nat source static tcp 192.168.20.37 80 81.x.x.x 80 extendable

ip nat source static tcp 192.168.20.37 443 81.x.x.x 443 extendable

ip nat source static udp 192.168.20.37 3389 81.x.x.x 3389 extendable

ip nat inside source list 7 pool GMRA overload

ip nat inside source static tcp 192.168.20.37 3389 81.x.x.x 3389 extendable

ip route 0.0.0.0 0.0.0.0 81.x.x.x

!

access-list 7 permit 192.168.20.0 0.0.0.255

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 3389

access-list 101 deny any any

!

If I apply Access-list 101 to my outside interface will I have an issue with internet access and will this allow those ports to have incoming connections?

If not can someone help me out

Thanks in advanced,

Eddie

cadet alain · ‎07-19-2013

Hi,

if you apply this ACL to your outbound interface in the inbound direction then it will only permit traffic from outside destined to ports 80,3389 and 443 but your reply traffic in response to traffic originated in your LAN will get dropped.

You can apply the ACL though but at the same time use CBAC:

config t

ip inspect name MY_INSPECTION tcp router-traffic

ip inspect name MY_INSPECTION udp router-traffic

ip inspect name MY_INSPECTION icmp router-traffic

int g0/0

ip inspect MY_INSPECTION out

ip access-group 101 in

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎07-19-2013

Hi,

if you apply this ACL to your outbound interface in the inbound direction then it will only permit traffic from outside destined to ports 80,3389 and 443 but your reply traffic in response to traffic originated in your LAN will get dropped.

You can apply the ACL though but at the same time use CBAC:

config t

ip inspect name MY_INSPECTION tcp router-traffic

ip inspect name MY_INSPECTION udp router-traffic

ip inspect name MY_INSPECTION icmp router-traffic

int g0/0

ip inspect MY_INSPECTION out

ip access-group 101 in

Regards

Alain

Don't forget to rate helpful posts.

Eddie.brown1986 · ‎07-19-2013

Thanks Cadet,

I will do some reading CBAC and update this forum accordingly.

Regards,

Eddie

eddiebrown1986 · ‎07-22-2013

Hello Cadet,

I have configured CBAC and applied the access-list to my outside interface pointing inbound. Yet I am still unable to gain access to my webserver. I went to grc.com and used "sheild's up!" to test my opened ports and it is reporting that those two ports are still closed.

From what I have been reading CBAC and the ACL shouldn't be nessecary, only a Static NAT pointing to the inside should be needed.

I'm at a loss for what needs to be done, if sheilds up would have reported those ports opened then I would have went back to the application side and quadruple checked all of my server settings.

Do you have any other idea's?

Thanks,

Eddie

cadet alain · ‎07-23-2013

Hi Eddie,

From what I have been reading CBAC and the ACL shouldn't be nessecary,  only a Static NAT pointing to the inside should be needed.

of course these are not needed for the port forwarding to work but if you apply the ACL inbound on your WAN interface as is then you'll lose connectivity from inside to outside because ACLs are stateless and if you do not permit the return traffic then it will be dropped inbound on the WAN interface and that's why I told you to use the IOS stateful firewall feature.

I think you should get rid of the security and try to connect to the server from outside with only NAT enabled.

Can you tell us if it is working this way ?

Regards

Alain

Don't forget to rate helpful posts.

eddiebrown1986 · ‎07-23-2013

Hello Cadet,

I think you should get rid of the security and try to connect to the server from outside with only NAT enabled.

Can you tell us if it is working this way ?

Before you suggested to use the CBAC and apply my ACL to the outbound interface I did not have anything but the static NAT entry. Everything that I have been reading has suggested that just the static NAT should be fine. However Sheilds Up! port scanner has replied with port 443 and 80 closed.

What if I apply an ACL to both the inbound and outbound interface opening up access to these ports. Allowing the return traffic to traverse in inside network?

eddiebrown1986 · ‎07-23-2013

This has been resolved, I was using the extendable command, and decided to not and BAM! I am able to access the webpage now.

cadet alain · ‎07-24-2013

Hi Eddie,

Thanks for letting us know that your problem is resolved and what was causing it.

Regards

Alain

Don't forget to rate helpful posts.