Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Opening http port on Cisco router and ASA 5505

Hallo,

I have a cisco router and ASA. The internet link connects to the router first and then  to firewall. I have two internal web servers one of them is HTTPS and one is http. 192.168.11.112 is my HTTPS email server and currently it can be accessed from outside. I have another web application that i want also to be accessed fro outside but i am having challenges. internally it is accessed like : 192.168.11.7:86/application. 

My router Configs are :

 

Router Configs

Router_HQ #sh run

Building configuration...

interface GigabitEthernet0/0

 description HQ_LAN

 ip address 10.1.1.1 255.255.255.248

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

interface GigabitEthernet0/1

 description LINK TO ISP

 ip address 61.239.128.122 255.255.255.252

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 crypto map VPN

ip forward-protocol nd

!

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static tcp 192.168.11.112 25 61.239.128.122 25 extendable

ip nat inside source static tcp 192.168.11.112 110 61.239.128.122 110 extendable

ip nat inside source static tcp 192.168.11.112 443 61.239.128.122 443 extendable

ip nat inside source static tcp 192.168.11.112 587 61.239.128.122 587 extendable

ip route 0.0.0.0 0.0.0.0 61.239.128.121

ip route 192.168.11.0 255.255.255.0 10.1.1.2 name HQ_Firewall

!

ip access-list extended INTERNET

 deny   ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

 deny   ip 192.168.11.0 0.0.0.255 192.16811.0.0 0.0.0.255

 permit ip 192.168.11.0 0.0.0.255 any

ip access-list extended Vic

 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255

ip access-list extended RMcc_TUNNEL

 permit ip 192.168.199.0 0.0.0.255 192.168.10.0 0.0.0.255

!

access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

route-map INTERNET permit 10

 match ip address INTERNET

 

ASA firewall:

HQ_Firewall# sh run

ASA Version 7.2(3)

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.11.2 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 10.1.1.2 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

access-list mail extended permit tcp any host 192.168.11.112 eq smtp

access-list mail extended permit tcp any host 192.168.11.112 eq pop3

access-list mail extended permit tcp any host 192.168.11.112 eq 3000

access-list mail extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.25                                                                                                                     5.255.0

access-list mail extended permit ip 192.168.12.0 255.255.255.0 192.168.11.0 255.25                                                                                                                     5.255.0

access-list mail extended permit tcp any host 192.168.11.112 eq https

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

access-group mail in interface outside

route outside 0.0.0.0 0.0.0.0 10.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

http server enable 444

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 192.168.11.0 255.255.255.0 inside

ssh 10.1.1.1 255.255.255.255 outside

ssh timeout 30

ssh version 2

console timeout 0

 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  • WAN Routing and Switching
Everyone's tags (1)
1 REPLY
Bronze

OK so if you access it via

OK so if you access it via http://192.168.11.7:86/application, then the web service is running on port 86 rather than the standard 80.

So you need a add a NAT to your router:

ip nat inside source static tcp 192.168.11.7 86 61.239.128.122 86 extendable

The allow it through the firewall:

access-list mail extended permit tcp any host 192.168.11.7 eq 86

 

Just out of interest is there a reason you have both the router and firewall? In the above configuration the firewall really isn't doing much!

If your internet connection is presented via Ethernet which it would appear to be then I would remove the router altogether and just use your ASA for termination and NAT etc etc.

Hope that helps!

Matty

2
Views
0
Helpful
1
Replies