Static NAT and ACL - mail access on port 443

Answered Question
Aug 4th, 2008

Have to access MS CAS-client server for remote mail access.

Natted the CAS from DMZ:172.30.1.32 to 172.26.1.32. Same for mail server on the inside

From the routers, i can ping both servers natted address(172.26.1.32&102)

Connected to the outside of FW,in switchport of ADSL; can ping servers from PC on port 443. But doesn't load on browser.

Note that both anti-X & IPS module r off.

Below is the relevant part of config and most of the topo. In few recent postings, noticed comments about port 80 & 443 playing funny from one zone to the other. Despite doing a 1 to 1 nat; wonder if static policy nat can get the users to connect from home.

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.26.1.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.28.1.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.30.1.25 255.255.255.0

!......

access-list outside extended permit tcp any host 172.26.1.32 eq https

access-list outside extended permit ip any any

access-list outside extended permit ip any host 172.26.1.32

static (inside,outside) 172.26.1.102 10.50.1.102 netmask 255.255.255.255

static (dmz,outside) 172.26.1.32 172.30.1.32 netmask 255.255.255.255

access-group outside in interface outside

access-group inside in interface inside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 172.26.1.1

Rgds, Ravi

I have this problem too.
0 votes
Correct Answer by Fernando_Meza about 5 years 8 months ago

Hi ..

So are you saying that when you connect to the outside of the firewall you can actually telnet X.X.X.X 443 where X.X.X.X is the public IP address of the server (s) and received a scrambled web page after typing GET command correct ? If that is the case then I am assuming that you had already tested the web browser with the IP address instead of hostname (Just to rule out name resolution issues) correct ..? I am also assuming that the servers know how to route back to the Internet correct ? then I suggest try disabling http inspection on the firewalls and test it again.

Please rate helpful posts !!

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Fernando_Meza Mon, 08/04/2008 - 16:22

Hi ..

So are you saying that when you connect to the outside of the firewall you can actually telnet X.X.X.X 443 where X.X.X.X is the public IP address of the server (s) and received a scrambled web page after typing GET command correct ? If that is the case then I am assuming that you had already tested the web browser with the IP address instead of hostname (Just to rule out name resolution issues) correct ..? I am also assuming that the servers know how to route back to the Internet correct ? then I suggest try disabling http inspection on the firewalls and test it again.

Please rate helpful posts !!

rjugnauth Mon, 08/04/2008 - 18:55

Didn't test with the servers' name. I only pinged the IP address using port 443. behind both ADSL n C1841 Frame-Relay, i'm not using public IP. I nat them again(this time with the public IP)on the Frame router.

Is the 'http inspect' still in cause? Coz i tested by connecting the server directly to the Frame router, it worked.Name are resolved ok on internet, but it involved only one static NAT. Seems like i'm missing smthing on the ASA.But i'll try removing http inspect.

rjugnauth Wed, 08/13/2008 - 08:31

Actually, it was an implicit deny on the transparent FW. As soon as an access for port 443 is added, it comes through OK.

Actions

Login or Register to take actions

This Discussion

Posted August 4, 2008 at 3:50 PM
Stats:
Replies:4 Avg. Rating:5
Views:242 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446