Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

NAT problems and port 443 for banking on line on a Cisco 2620XM

Hi

A user on the LAN (172.16.0.0) is trying to do on-line banking (I'm assuming Https port 443). The user is able to access the internet, but when he enters secure login credentials at the secure website, they eventually timeout. I created 2 access-lists, access-list 7 to use dynamic NAT, to NAT all the users on the LAN side to the one public ip address available (195.122.25.17). Access-list 100 is used to define interesting traffic that will bring up the ISDN BRI 1/2 interface to dial out to the internet/ISP. It is set to permit any traffic (ie during the time range specified). If anyone can spot a problem with the configuration I would appreciate it. I am trying to figure out if it's the router that is stopping the replies coming back.

The Static NAT entry NATs the email server to the same public ip address (ie 195.122.25.17) on port 25 for smtp mail. I'm wondering if the NAT is causing the problem or if the access-lists are conflicting in some way.

The configuration is below:

isdn switch-type basic-net3

!

interface FastEthernet0/0

ip address 172.16.10.1 255.255.255.0

no ip proxy-arp

ip nat inside

duplex auto

speed auto

no cdp enable

!

interface BRI1/2

no ip address

encapsulation ppp

dialer pool-member 2

isdn switch-type basic-net3

no cdp enable

ppp multilink

!

interface Dialer2

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 2

dialer idle-timeout 300

dialer string 1890 110 110

dialer hold-queue 10

dialer load-threshold 165 outbound

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname letmeout

ppp chap password letmeout

!

ip nat inside source list 7 interface Dialer2 overload

ip nat inside source static tcp 172.16.10.2 25 195.122.25.17 25 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer2

no ip http server

ip pim bidir-enable

!

access-list 7 permit 172.16.0.0 0.0.255.255

access-list 100 permit ip any any time-range WORKINGDAY

dialer-list 1 protocol ip list 100

no cdp run

!

time-range WORKINGDAY

periodic weekend 9:00 to 17:00

periodic weekdays 8:00 to 19:00

Thanks again,

Gerry

1 REPLY
Bronze

Re: NAT problems and port 443 for banking on line on a Cisco 262

The NAT config looks ok, I would suggest running some debugs to determine why the connection is failing. Create an acl between one of your hosts and the ip address you are trying to connect to. Then run a "debug ip packet 100 detail". You may want to schedule a maintenance window to run the debug so that it does not affect the rest of your network. Be sure to disable fast switching when you run the debug so you can see all the packets.

94
Views
0
Helpful
1
Replies
CreatePlease to create content