Solved: Re: Policy-map and routing problem with an internal https server

habbas.ali · ‎07-11-2006

Hello,

i have a little problem,

i have an internet router with three interfaces. An ethernet, a serial, and an adsl.

Because my provider don't give public fixed ip address with adsl but only with leased line

I ve created a policy map to send and receive all smtp traffic by the serial (public ip address to my mail server)and any others traffic by the adsl.

Everything works fine.

But now i need to grant access to an internal https server from Internet.

So i create a static nat for the https server, and grant access in my firewall.

When i connect to the https server (the connection is from internet to the serial wich have the fixed public address), i don't receive the response, i can see the connection in https server. So the back packets are losed.(may be they are sending to the adsl interface cause the policymap)

The interesting thing is: if i am connecting with a known internet address, and i create a route in the router to send all traffic with this address to the serial interface it works fine!!

So my problem is when an internet client open a https session to the server how can i configure the router to route packets from the internal server to internet by the serial and not the adsl.

Thanks for any help

!

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service sequence-numbers

!

hostname Internet_router

!

enable secret # ######################

enable password ######################

!

ip subnet-zero

!

ip tcp synwait-time 10

!

no ip bootp server

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

interface ATM0/0

bandwidth 1544

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

no fair-queue

!

interface FastEthernet0/0

ip address aaa.aaa.aaa.aaa (private adress)

duplex auto

speed auto

no cdp enable

shutdown

!

interface Serial0/0

ip address bbb.bbb.bbb.bbb (fixed public address)

ip access-group 102 in

encapsulation ppp

no cdp enable

!

interface FastEthernet0/1

ip address ccc.ccc.ccc.ccc (fixed public address)

ip nat inside

ip policy route-map route-smtp

speed auto

full-duplex

no cdp enable

!

interface Dialer1

bandwidth 1544

ip address negotiated

ip access-group 102 in

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname ###########

ppp chap password ######################

ppp pap sent-username ######## password ###################

!

ip nat inside source list 103 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 Serial0/0 50

ip route ############################################

ip route w.x.y.z 255.255.255.0 inteface S0 here is the route i ve created for a web client with the public address w.x.y.z

no ip http server

ip pim bidir-enable

!

logging facility local2

logging ######################

access-list 102 deny tcp any any eq telnet

access-list 102 permit tcp any any

access-list 102 permit ip any any

access-list 103 permit ip host ############### any

access-list 104 permit tcp host ############## any eq smtp

dialer-list 1 protocol ip permit

no cdp run

!

route-map route-smtp permit 10

match ip address 104

set interface Serial0/0

set ip next-hop ###################

!

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

password ?#?############

login

!

end

Edison Ortiz · ‎07-30-2006

Try removing the set interface command from the route-map and leave the set ip next-hop by itself along with the match 104.

You can also try turning debug on 104 ACL and see why the HTTPS traffic is not working.

On the route-map you are only matching for HTTPS traffic while in the ip route, all traffic is valid. Perhaps the server is using other protocols to negociate this connection. As a test, include all ports in the 104 ACL and try again.

View solution in original post

ilya.varlashkin · ‎08-01-2006

I believe above access list should be corrected to:

access-list 104 permit tcp host ############## eq https any

Because your server sends packets from https port, but not to https.

View solution in original post

Edison Ortiz · ‎07-11-2006

You need to include the https server in the 104 ACL

Something like:

access-list 104 permit tcp host ############## any eq https

habbas.ali · ‎07-21-2006

Hello

No did not work with this access-list.

The problem is when i enter an ip route for the client internet address to the serial it work.

For exemple, i am connecting to internet by adsl, if i try to connect to the internal https server it don't work but if in the office router i enter an ip route my adress interface s0.0 it work

Any ideas

Thanks

jheckart · ‎07-21-2006

I am not sure why matching this traffic on acl 104 would not work. When you add the https to acl 104, and issue a "sh access-lists 104", do you see the counter increase for the line pertaining to https traffic?

ilya.varlashkin · ‎08-01-2006

I believe above access list should be corrected to:

access-list 104 permit tcp host ############## eq https any

Because your server sends packets from https port, but not to https.

CSCO10408957 · ‎07-21-2006

PIX:

access-list acl_123 extended permit ip host HTTPServer any

static (inside,outside) Real-IP access-list acl_123

It make the STATIC with traffic requirement.

habbas.ali · ‎07-27-2006

there is already a static for the https server because it is also a proxy server.

static (inside,outside) real-ip private-ip

do i have to add the static with access-list???

Edison Ortiz · ‎07-30-2006

Try removing the set interface command from the route-map and leave the set ip next-hop by itself along with the match 104.

You can also try turning debug on 104 ACL and see why the HTTPS traffic is not working.

On the route-map you are only matching for HTTPS traffic while in the ip route, all traffic is valid. Perhaps the server is using other protocols to negociate this connection. As a test, include all ports in the 104 ACL and try again.