cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1136
Views
0
Helpful
4
Replies

Static NAT and ACL - mail access on port 443

rjugnauth
Level 1
Level 1

Have to access MS CAS-client server for remote mail access.

Natted the CAS from DMZ:172.30.1.32 to 172.26.1.32. Same for mail server on the inside

From the routers, i can ping both servers natted address(172.26.1.32&102)

Connected to the outside of FW,in switchport of ADSL; can ping servers from PC on port 443. But doesn't load on browser.

Note that both anti-X & IPS module r off.

Below is the relevant part of config and most of the topo. In few recent postings, noticed comments about port 80 & 443 playing funny from one zone to the other. Despite doing a 1 to 1 nat; wonder if static policy nat can get the users to connect from home.

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.26.1.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.28.1.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.30.1.25 255.255.255.0

!......

access-list outside extended permit tcp any host 172.26.1.32 eq https

access-list outside extended permit ip any any

access-list outside extended permit ip any host 172.26.1.32

static (inside,outside) 172.26.1.102 10.50.1.102 netmask 255.255.255.255

static (dmz,outside) 172.26.1.32 172.30.1.32 netmask 255.255.255.255

access-group outside in interface outside

access-group inside in interface inside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 172.26.1.1

Rgds, Ravi

1 Accepted Solution

Accepted Solutions

Fernando_Meza
Level 7
Level 7

Hi ..

So are you saying that when you connect to the outside of the firewall you can actually telnet X.X.X.X 443 where X.X.X.X is the public IP address of the server (s) and received a scrambled web page after typing GET command correct ? If that is the case then I am assuming that you had already tested the web browser with the IP address instead of hostname (Just to rule out name resolution issues) correct ..? I am also assuming that the servers know how to route back to the Internet correct ? then I suggest try disabling http inspection on the firewalls and test it again.

Please rate helpful posts !!

View solution in original post

4 Replies 4

Fernando_Meza
Level 7
Level 7

Hi ..

So are you saying that when you connect to the outside of the firewall you can actually telnet X.X.X.X 443 where X.X.X.X is the public IP address of the server (s) and received a scrambled web page after typing GET command correct ? If that is the case then I am assuming that you had already tested the web browser with the IP address instead of hostname (Just to rule out name resolution issues) correct ..? I am also assuming that the servers know how to route back to the Internet correct ? then I suggest try disabling http inspection on the firewalls and test it again.

Please rate helpful posts !!

Didn't test with the servers' name. I only pinged the IP address using port 443. behind both ADSL n C1841 Frame-Relay, i'm not using public IP. I nat them again(this time with the public IP)on the Frame router.

Is the 'http inspect' still in cause? Coz i tested by connecting the server directly to the Frame router, it worked.Name are resolved ok on internet, but it involved only one static NAT. Seems like i'm missing smthing on the ASA.But i'll try removing http inspect.

Actually, it was an implicit deny on the transparent FW. As soon as an access for port 443 is added, it comes through OK.

ok

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: