Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT and ACL - mail access on port 443

Have to access MS CAS-client server for remote mail access.

Natted the CAS from DMZ:172.30.1.32 to 172.26.1.32. Same for mail server on the inside

From the routers, i can ping both servers natted address(172.26.1.32&102)

Connected to the outside of FW,in switchport of ADSL; can ping servers from PC on port 443. But doesn't load on browser.

Note that both anti-X & IPS module r off.

Below is the relevant part of config and most of the topo. In few recent postings, noticed comments about port 80 & 443 playing funny from one zone to the other. Despite doing a 1 to 1 nat; wonder if static policy nat can get the users to connect from home.

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.26.1.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.28.1.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.30.1.25 255.255.255.0

!......

access-list outside extended permit tcp any host 172.26.1.32 eq https

access-list outside extended permit ip any any

access-list outside extended permit ip any host 172.26.1.32

static (inside,outside) 172.26.1.102 10.50.1.102 netmask 255.255.255.255

static (dmz,outside) 172.26.1.32 172.30.1.32 netmask 255.255.255.255

access-group outside in interface outside

access-group inside in interface inside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 172.26.1.1

Rgds, Ravi

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Static NAT and ACL - mail access on port 443

Hi ..

So are you saying that when you connect to the outside of the firewall you can actually telnet X.X.X.X 443 where X.X.X.X is the public IP address of the server (s) and received a scrambled web page after typing GET command correct ? If that is the case then I am assuming that you had already tested the web browser with the IP address instead of hostname (Just to rule out name resolution issues) correct ..? I am also assuming that the servers know how to route back to the Internet correct ? then I suggest try disabling http inspection on the firewalls and test it again.

Please rate helpful posts !!

4 REPLIES

Re: Static NAT and ACL - mail access on port 443

Hi ..

So are you saying that when you connect to the outside of the firewall you can actually telnet X.X.X.X 443 where X.X.X.X is the public IP address of the server (s) and received a scrambled web page after typing GET command correct ? If that is the case then I am assuming that you had already tested the web browser with the IP address instead of hostname (Just to rule out name resolution issues) correct ..? I am also assuming that the servers know how to route back to the Internet correct ? then I suggest try disabling http inspection on the firewalls and test it again.

Please rate helpful posts !!

New Member

Re: Static NAT and ACL - mail access on port 443

Didn't test with the servers' name. I only pinged the IP address using port 443. behind both ADSL n C1841 Frame-Relay, i'm not using public IP. I nat them again(this time with the public IP)on the Frame router.

Is the 'http inspect' still in cause? Coz i tested by connecting the server directly to the Frame router, it worked.Name are resolved ok on internet, but it involved only one static NAT. Seems like i'm missing smthing on the ASA.But i'll try removing http inspect.

New Member

Re: Static NAT and ACL - mail access on port 443

Actually, it was an implicit deny on the transparent FW. As soon as an access for port 443 is added, it comes through OK.

New Member

Re: Static NAT and ACL - mail access on port 443

ok

265
Views
0
Helpful
4
Replies