Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Thats it: too stupid to configure port forwarding on IOS FW DMZ

Ok thats it. I am now 6 hours overtime in the office and i cannot get it to work.

I have this:

SG-BN001#sh zone security

zone self

  Description: System defined zone

zone out-zone

  Member Interfaces:

    GigabitEthernet0/1.1

    GigabitEthernet0/1.2

zone in-zone

  Member Interfaces:

    Tunnel0

    Tunnel1

    GigabitEthernet0/0.1

    GigabitEthernet0/0.2

    GigabitEthernet0/0.5

    Virtual-Template1

    SSLVPN-VIF0

zone dmz-zone

  Member Interfaces:

    GigabitEthernet0/0.3

I have in the DMZ a Server. I want to access Port 8080 and Port 8443

I cant get it to work!

i have some other servers in the DMZ working with port forwarding

I use CCP -> i create  rule on the OUT to DMZ Zone.

I use an object group, add this server, create custom ports for it add them and... no it isnt working!

Even when i allow IP for ALL DMZ Machine, i can only connect to port 8080. I never could connect ever to the second port the same time.

is it me? am i too stupid?

Using 2800x with 12.4

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Thats it: too stupid to configure port forwarding on IOS FW

Are you sure this works internally? Meaning if you load the page from the inside or on a compuer on the dmz does it work? I just want to make sure that the dmz host is listening on these ports.

http://x.x.xx:8443

http://x.x.xx:8081

http://x.x.xx:8082

-KS

7 REPLIES
Cisco Employee

Re: Thats it: too stupid to configure port forwarding on IOS FW

Does your NAT config look ok? for port 8443 to this server in the dmz.

Unfortunatley is section of the config that you posted is not enough to find out what might be going on.

issue

conf t

ip inspect log drop

then try the connection and see what the logs says.

-KS

New Member

Re: Thats it: too stupid to configure port forwarding on IOS FW

Hmm i did but my connection doesnt show up.

well i just added IP to inspect ANY ANY on the OUT - TO - DMZ ZONE

then 8080 is working

but

8443 not

i cant understand this

my dmz interfaces are NAT INSIDE

but removing NAT doesnt change anything

Cisco Employee

Re: Thats it: too stupid to configure port forwarding on IOS FW

what does your "sh run | i nat" output look like?

Do you have translation for 8443?

-KS

New Member

Re: Thats it: too stupid to configure port forwarding on IOS FW

some screenshots... i am totally lost

New Member

Re: Thats it: too stupid to configure port forwarding on IOS FW

no translation. also when i try 8081 8082 etc this is ALSO not working!

8080 is the only one that works..

:-/

Cisco Employee

Re: Thats it: too stupid to configure port forwarding on IOS FW

Are you sure this works internally? Meaning if you load the page from the inside or on a compuer on the dmz does it work? I just want to make sure that the dmz host is listening on these ports.

http://x.x.xx:8443

http://x.x.xx:8081

http://x.x.xx:8082

-KS

New Member

Re: Thats it: too stupid to configure port forwarding on IOS FW

Well thanks for your help kusan..... actually i fixed it.

THe Problem was i think that there was no access-group on the interfaces

i made access lists ip any any and applied them to the interfaces

AFTER THAT everything worked like i configured it in CCP

i have no idea why.. but now its working!

691
Views
0
Helpful
7
Replies