port forwarding 443 and SDM

[creepingdeath]

cisco 877 ADSL router, IOS 12.4 with advanced IP set.

I need to port forward 443 and bunch of other ports to a host in my LAN for a game.

Currently I have remote access from the outside interface to my router via port 22 (SSH) and 443 (HTTPS/SDM).

When I port forward 22 (did for testing) I lose the remote connection.

So.... is it possible for me to forward port 443 to a LAN host and still connect remotely using the SDM on port 443?

Other info:
I am using the zoned based firewall (in-zone, self, out-zone)

Thanks.

 

[burtsbees]

Post a config...

Burt

 

[creepingdeath]

!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco877
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$30.K$ZRumbeS1KpR/B5usK/2Uy1
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-362096935
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-362096935
revocation-check none
rsakeypair TP-self-signed-362096935
!
!
crypto pki certificate chain TP-self-signed-362096935
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363230 39363933 35301E17 0D303230 33303130 30313231
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 32303936
39333530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C5111FFD CFD78E45 10CAF3D5 40B0CA72 20770EF8 7EB137C8 7948E4F1 3FD8EAE5
17F4A186 B85CF8C6 4A0B7D09 DA7B8AC4 A595FFB3 919762AC C8C9BA9B D377C1FE
2DDDC245 D4278FB3 AB41EFDA 84BD93C1 E4C1AC01 3AB0D37F 5CC1DF17 C15ED400
7C589174 E206B372 AB2610BD AEB1473D CB81813C 3C84ACCE 9D72ED4F 20AF1E63
02030100 01A37530 73300F06 03551D13 0101FF04 05300301 01FF3020 0603551D
11041930 17821563 6973636F 3837372E 63726565 70792E6C 6F63616C 301F0603
551D2304 18301680 14C88E73 5628399B A3BE3915 0263812C 5E290785 CE301D06
03551D0E 04160414 C88E7356 28399BA3 BE391502 63812C5E 290785CE 300D0609
2A864886 F70D0101 04050003 8181004E 326BFCEB 58A599F8 72CF391B 9380D51D
92F1A57A 888A85F8 15F308EE DE82A823 A99ED2BF 9FE47F99 D96C7297 3FF898E7
BC47FDB7 FDBF8EEF FB687CA1 B1566803 F3681E1C 48D99AAB B2BC1500 8CF20350
99BA06FD D40EE3CC C1CD9CEB 831D2A7A 0153DC1F B97816DA 6A2DA379 FAD8398C
68101D2E 71664A08 467D188B 05EC11
quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.1 172.16.2.0
ip dhcp excluded-address 172.16.2.255 172.16.255.254
!
ip dhcp pool DHCP_LAN_CLIENTS
import all
network 172.16.0.0 255.255.0.0
default-router 172.16.0.1
domain-name creepy.local
dns-server 58.28.4.2 58.28.6.2
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name creepy.local
ip name-server 58.28.4.2
ip name-server 58.28.6.2
ip ddns update method MY_DDNS
HTTP
add

http://user:pass@members.dyndns.org/nic/update?system=dyndns&hostname=host&myip=

remove

http://user:pass@members.dyndns.org/nic/update?system=dyndns&hostname=host&myip=

interval maximum 28 0 0 0
!
!
!
!
username user1 privilege 15 secret 5 $1$2uTO$hLhX20i9lHL9cxI1cnUb10
username user2 secret 5 $1$TDn2$5/UilthERuqItG3x.MxqI/
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect sdm-access
inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security ZP-out-in source out-zone destination in-zone
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 172.16.0.1 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Dialer0
ip ddns update hostname creeping.gotdns.com
ip ddns update MY_DDNS host members.dyndns.org
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username XXXXXXX password 7 XXXXXXX
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http secure-server
ip nat inside source list NAT_LAN_ADDRESSES interface Dialer0 overload
!
ip access-list standard NAT_LAN_ADDRESSES
permit 172.16.0.0 0.0.255.255
!
ip access-list extended DENY_ALL
deny ip any any
ip access-list extended SDM_HTTPS
permit tcp any any eq 443
ip access-list extended SDM_SHELL
permit tcp any any eq cmd
ip access-list extended SDM_SSH
permit tcp any any eq 22
ip access-list extended VTY_ACCESS
permit ip 172.16.0.0 0.0.255.255 any
deny ip any any
!
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
no cdp run
!
!
!
control-plane
!
banner motd ^C

Unauthorized access is prohibited! Disconnect now.

^C
!
line con 0
exec-timeout 30 0
logging synchronous
login local
no modem enable
line aux 0
exec-timeout 30 0
privilege level 15
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
login local
transport input ssh
transport output ssh
!
scheduler max-task-time 5000
end