Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
1
Replies

FWSM:Allowing HTTP on another port:Inspection

MannyD123
Level 1
Level 1

‎05-04-2009 06:28 AM - edited ‎03-11-2019 08:27 AM

hi

Internet ---- FWSM (ver 3.2(8)) ---Serverfarm

we have a server which has an application that listens on port 55005.The way the appliction is accessed is by http://public-ip:55005. I have opened port 55005 on the fwsm and the static and access-lists are as follows

static (dmzSERVER,OUTSIDE) public-ip private-ip netmask 255.255.255.255

access-list FR_OUTSIDE extended permit tcp any host public-ip eq 55005

access-group FR_OUTSIDE in int OUTSIDE

The issue is that i get the login page.As soon as enter the username and password and hit enter it says page cannot be displayed. On logging the FWSM i cannot find anything being dropped.

I also tried application inspection for http using the following configuration.

class-map HTTP

match port tcp eq 55005

policy-map HTTP

class HTTP

inspect http

service-policy HTTP interface OUTSIDE

Now when the outside user tries http://public-ip:55005 i can see that there are hits for the above inspection and that nothing is dropped.But still after supplying the username and password we still get page cannot be displayed. I havent tried with an HTTp map though.

I believe this has got something to do with http traffic going on port 55005. locally everything works OK.

if any one has some ideas regarding this please help

Regards

mannyD

Labels:
0 Helpful
1 Reply 1

sadbulali
Level 4
Level 4

‎05-08-2009 05:35 AM

Check the security level of the interfaces. Traffic does not go through the FWSM from a higher security interface to a lower security interface. You did not apply an access list to the higher security interface to allow traffic through. Unlike the PIX firewall, the FWSM does not automatically allow traffic to pass between interfaces.

Apply an access list to the source interface to allow traffic through.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card