Port forward HTTPS on non standard port

[creeping666]

Hi, I current have an email server that:
1) Receives email using the SMTP extended protocol on port 25 from only a certain group of IP addresses.
2) Hosts web mail using the HTTPS protocol on port 443.

Device: cisco 877 (C870-ADVIPSERVICESK9-M), Version 12.4(24)T1

Current working code below

ip nat inside source static tcp 192.168.180.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.180.2 443 interface Dialer0 443


ip access-list extended EMAIL_SERVER
 permit ip any host 192.168.180.2


object-group network SMX_EMAIL_SERVERS
 range 203.84.134.0 203.84.135.255
 range 113.197.64.0 113.197.67.255


ip access-list extended SMX_TO_EMAIL_SERVER
 permit tcp object-group SMX_EMAIL_SERVERS any eq smtp


class-map type inspect match-all EMAIL_SERVER-SMTP_TRAFFIC
 match protocol smtp extended
 match access-group name SMX_TO_EMAIL_SERVER


class-map type inspect match-all EMAIL_SERVER-WEBMAIL_TRAFFIC
 match protocol https
 match access-group name EMAIL_SERVER


class-map type inspect match-any MAIL_SERVER-TRAFFIC
 match class-map EMAIL_SERVER-SMTP_TRAFFIC
 match class-map EMAIL_SERVER-WEBMAIL_TRAFFIC


policy-map type inspect INTERNET-TO-VLAN1
 class type inspect MAIL_SERVER-TRAFFIC
  inspect

I would like to change the web mail port to the non standard port 29001, but I can not seem to get it to work. I have tried a few ways and I thought the test code below would be simple enough to get it to work, but it does not.

ip nat inside source static tcp 192.168.180.2 443 interface Dialer0 443


class-map type inspect match-all MAIL_SERVER-TRAFFIC
 match protocol https


policy-map type inspect INTERNET-TO-VLAN1
 class type inspect MAIL_SERVER-TRAFFIC
  inspect

Web mail can be accessed locally on the LAN via

https://192.168.180.2:29001

so I know its working. Could someone point me the right direction?

Thanks.

 

[unclerico]

ip nat inside source static tcp 192.168.180.2 [b]29001[/b] interface Dialer0 443

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[creeping666]

Sorry I should of mentioned I have tried that too. I can not see any other part of the configuration that is relevant or could stop it from working.

Even if I change the code to the following it does not work.

ip nat inside source static tcp 192.168.180.2 29001 interface Dialer0 443


class-map type inspect match-all MAIL_SERVER-TRAFFIC
 match protocol tcp


policy-map type inspect INTERNET-TO-VLAN1
 class type inspect MAIL_SERVER-TRAFFIC
  inspect

 

[imbadatthis]

are you allowing the port in as well ? you Could have an access list somewhere


Also are you truly testing from the outside, or are you trying to connect from inside to your outside interface?
not your Cisco Router, but if you are connected through an ISP that router might have issues with the request (for ex my Dlink-300 supplied through my ISP has this issue]

aside from that post a config lets take a look as the command in Unclerico's solution should do it

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[unclerico]

are you allowing the port in as well ? you Could have an access list somewhere

that is where i was going to go next as well...

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[creeping666]

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname cisco877
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_XAUTH_ML1 local
aaa authorization exec default local
aaa authorization network VPN_GROUP_ML1 local
!
!
aaa session-id common
clock timezone NZST 12
clock summer-time NZDT recurring last Sun Sep 2:00 1 Sun Apr 3:00
!
crypto pki trustpoint TP-self-signed-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXX
 certificate self-signed 01
  XXXXXXXXXXXXXXXXXXXXXXXXXXXX
        quit
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name urbis.local
ip name-server 203.97.33.14
ip name-server 203.97.37.14
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
object-group network SMX_EMAIL_SERVERS
 range 203.84.134.0 203.84.135.255
 range 113.197.64.0 113.197.67.255
!
vtp domain biz-vtp-domain
vtp mode transparent
username jit privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group XXXXXXXX
 key  XXXXXXXX
 dns 192.168.180.2
 domain urbis.remote
 pool EASYVPN_CLIENTS
 acl 100
 netmask 255.255.0.0
crypto isakmp profile ISAKMP_PROFILE-1
   match identity group users
   client authentication list VPN_XAUTH_ML1
   isakmp authorization list VPN_GROUP_ML1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE-1
 set transform-set AES-SHA
 set isakmp-profile ISAKMP_PROFILE-1
!
!
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-any INTERNET_TRAFFIC
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-any AH
 match access-group name AH
class-map type inspect match-all INVALID_SOURCE
 match access-group 101
class-map type inspect match-any ICMP
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all HTTP
 match protocol http
class-map type inspect match-any IP
 match access-group name IP
class-map type inspect match-any ESP
 match access-group name ESP
class-map type inspect match-any EASYVPN_PROTOS
 match protocol isakmp
 match protocol ipsec-msft
 match class-map AH
 match class-map ESP
class-map type inspect match-all EMAIL-TRAFFIC
 match protocol tcp
class-map type inspect match-all EMAIL_SERVER-SMTP_TRAFFIC
 match protocol smtp extended
 match access-group name SMX_TO_EMAIL_SERVER
class-map type inspect match-all EASYVPN_TRAFFIC
 match class-map EASYVPN_PROTOS
class-map type inspect match-any VOICE
 match protocol h323
 match protocol skinny
 match protocol sip
!
!
policy-map type inspect SELF_TO_INTERNET
 class type inspect ICMP
  inspect
 class class-default
  pass
policy-map type inspect INTERNET_TO_SELF
 class type inspect EASYVPN_TRAFFIC
  pass
 class class-default
  drop
policy-map type inspect INTERNET_TO_VLAN1
 class type inspect EMAIL-TRAFFIC
  inspect
 class class-default
  drop
policy-map type inspect VLANS_TO_INTERNET
 class type inspect INVALID_SOURCE
  drop log
 class type inspect INTERNET_TRAFFIC
  inspect
 class type inspect HTTP
  inspect
 class type inspect VOICE
  inspect
 class class-default
  pass
policy-map type inspect PERMIT_IP
 class type inspect IP
  pass
 class class-default
  drop log
!
zone security INTERNET
zone security VLAN1
zone security EASYVPN
zone-pair security ZP-SELF_TO_INTERNET source self destination INTERNET
 service-policy type inspect SELF_TO_INTERNET
zone-pair security ZP-INTERNET_TO_SELF source INTERNET destination self
 service-policy type inspect INTERNET_TO_SELF
zone-pair security ZP-VLAN1_TO_INTERNET source VLAN1 destination INTERNET
 service-policy type inspect VLANS_TO_INTERNET
zone-pair security ZP-INTERNET_TO_VLAN1 source INTERNET destination VLAN1
 service-policy type inspect INTERNET_TO_VLAN1
zone-pair security ZP-VLAN1_TO_EASYVPN source VLAN1 destination EASYVPN
 service-policy type inspect PERMIT_IP
zone-pair security ZP-INTERNET_TO_EASYVPN source INTERNET destination EASYVPN
 service-policy type inspect PERMIT_IP
zone-pair security ZP-EASYVPN_TO_INTERNET source EASYVPN destination INTERNET
 service-policy type inspect PERMIT_IP
zone-pair security ZP-EASYVPN_TO_VLAN1 source EASYVPN destination VLAN1
 service-policy type inspect PERMIT_IP
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/100
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
 shutdown
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface Virtual-Template1 type tunnel
 ip unnumbered Dialer0
 zone-member security EASYVPN
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE-1
!
interface Vlan1
 ip address 192.168.180.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN1
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 zone-member security INTERNET
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username  XXXXXXXX password 7  XXXXXXXX
!
ip local pool EASYVPN_CLIENTS 172.30.2.1 172.30.2.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.180.2 29001 interface Dialer0 443
!
ip access-list extended AH
 permit ahp any any
ip access-list extended EMAIL_SERVER
 permit ip any host 192.168.180.2
ip access-list extended ESP
 permit esp any any
ip access-list extended IP
 permit ip any any
ip access-list extended NAT
 permit ip 192.168.180.0 0.0.0.255 any
ip access-list extended SMX_TO_EMAIL_SERVER
 permit tcp object-group SMX_EMAIL_SERVERS any eq smtp
!
access-list 100 permit ip 192.168.180.0 0.0.0.255 any
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run

!
!
!
!
!
control-plane
!
banner motd ^C

Unauthorized access is prohibited
Disconnect now
Or you will be terminated

^C
!
line con 0
 exec-timeout 30 0
 privilege level 15
 logging synchronous
 no modem enable
line aux 0
 exec-timeout 30 0
 privilege level 15
 logging synchronous
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 logging synchronous
 transport input ssh
 transport output ssh
!
scheduler max-task-time 5000
end

 

[creeping666]

As for the way I am testing... I connect via EasyVPN to change the configuration. Then disconnect just be be sure before I test from our office, so two locations and I am testing remotely.

 

[imbadatthis]

either define port 29001 as https traffic

ip nbar port-map https tcp 29001


I suggest:

ip nbar port-map MAILSERVER [tcp | udp] 29001
class-map type inspect match-all EMAIL_SERVER-WEBMAIL_TRAFFIC
match protocol MAILSERVER

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[creeping666]

Ok, I think there is a more fundamental problem with my config. I can not seem to get any port forwards to work at all regardless of the port number and protocol.
Can not even the config below to work which I have had working in the past, so I'm guessing the problem lies somewehere else in the config.

ip port-map user-MD-WEBMAIL port tcp 3000

ip nat inside source static tcp 192.168.180.2 3000 interface Dialer0 3000

ip access-list extended EMAIL_SERVER
 permit ip any host 192.168.180.2

class-map type inspect match-all MAIL_SERVER-TRAFFIC
 match protocol user-MD-WEBMAIL
 match access-group name EMAIL_SERVER

policy-map type inspect INTERNET_TO_VLAN1
 class type inspect MAIL_SERVER-TRAFFIC
  inspect