07-11-2006 12:20 PM - edited 03-03-2019 01:18 PM
Hello,
i have a little problem,
i have an internet router with three interfaces. An ethernet, a serial, and an adsl.
Because my provider don't give public fixed ip address with adsl but only with leased line
I ve created a policy map to send and receive all smtp traffic by the serial (public ip address to my mail server)and any others traffic by the adsl.
Everything works fine.
But now i need to grant access to an internal https server from Internet.
So i create a static nat for the https server, and grant access in my firewall.
When i connect to the https server (the connection is from internet to the serial wich have the fixed public address), i don't receive the response, i can see the connection in https server. So the back packets are losed.(may be they are sending to the adsl interface cause the policymap)
The interesting thing is: if i am connecting with a known internet address, and i create a route in the router to send all traffic with this address to the serial interface it works fine!!
So my problem is when an internet client open a https session to the server how can i configure the router to route packets from the internal server to internet by the serial and not the adsl.
Thanks for any help
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname Internet_router
!
enable secret # ######################
enable password ######################
!
ip subnet-zero
!
!
ip tcp synwait-time 10
!
no ip bootp server
!
!
!
!
!
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!
!
interface ATM0/0
bandwidth 1544
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
no fair-queue
!
interface FastEthernet0/0
ip address aaa.aaa.aaa.aaa (private adress)
duplex auto
speed auto
no cdp enable
shutdown
!
interface Serial0/0
ip address bbb.bbb.bbb.bbb (fixed public address)
ip access-group 102 in
encapsulation ppp
no cdp enable
!
interface FastEthernet0/1
ip address ccc.ccc.ccc.ccc (fixed public address)
ip nat inside
ip policy route-map route-smtp
speed auto
full-duplex
no cdp enable
!
interface Dialer1
bandwidth 1544
ip address negotiated
ip access-group 102 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ###########
ppp chap password ######################
ppp pap sent-username ######## password ###################
!
ip nat inside source list 103 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Serial0/0 50
ip route ############################################
ip route w.x.y.z 255.255.255.0 inteface S0 here is the route i ve created for a web client with the public address w.x.y.z
no ip http server
ip pim bidir-enable
!
!
logging facility local2
logging ######################
access-list 102 deny tcp any any eq telnet
access-list 102 permit tcp any any
access-list 102 permit ip any any
access-list 103 permit ip host ############### any
access-list 104 permit tcp host ############## any eq smtp
dialer-list 1 protocol ip permit
no cdp run
!
route-map route-smtp permit 10
match ip address 104
set interface Serial0/0
set ip next-hop ###################
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
password ?#?############
login
!
!
end
Solved! Go to Solution.
07-30-2006 08:02 AM
Try removing the set interface command from the route-map and leave the set ip next-hop by itself along with the match 104.
You can also try turning debug on 104 ACL and see why the HTTPS traffic is not working.
On the route-map you are only matching for HTTPS traffic while in the ip route, all traffic is valid. Perhaps the server is using other protocols to negociate this connection. As a test, include all ports in the 104 ACL and try again.
08-01-2006 02:08 PM
I believe above access list should be corrected to:
access-list 104 permit tcp host ############## eq https any
Because your server sends packets from https port, but not to https.
07-11-2006 06:50 PM
You need to include the https server in the 104 ACL
Something like:
access-list 104 permit tcp host ############## any eq https
07-21-2006 12:25 PM
Hello
No did not work with this access-list.
The problem is when i enter an ip route for the client internet address to the serial it work.
For exemple, i am connecting to internet by adsl, if i try to connect to the internal https server it don't work but if in the office router i enter an ip route my adress interface s0.0 it work
Any ideas
Thanks
07-21-2006 12:34 PM
I am not sure why matching this traffic on acl 104 would not work. When you add the https to acl 104, and issue a "sh access-lists 104", do you see the counter increase for the line pertaining to https traffic?
08-01-2006 02:08 PM
I believe above access list should be corrected to:
access-list 104 permit tcp host ############## eq https any
Because your server sends packets from https port, but not to https.
07-21-2006 08:55 PM
PIX:
access-list acl_123 extended permit ip host HTTPServer any
static (inside,outside) Real-IP access-list acl_123
It make the STATIC with traffic requirement.
07-27-2006 05:53 PM
there is already a static for the https server because it is also a proxy server.
static (inside,outside) real-ip private-ip
do i have to add the static with access-list???
07-30-2006 08:02 AM
Try removing the set interface command from the route-map and leave the set ip next-hop by itself along with the match 104.
You can also try turning debug on 104 ACL and see why the HTTPS traffic is not working.
On the route-map you are only matching for HTTPS traffic while in the ip route, all traffic is valid. Perhaps the server is using other protocols to negociate this connection. As a test, include all ports in the 104 ACL and try again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: