topic Re: Procurve 7102 in Switches, Hubs, and Modems

Procurve 7102

William E Howard — Thu, 29 Apr 2010 22:03:23 GMT

I have a 7102 router as my external router, and I am running into an issue. I have it set to only allow management via SSL from the internal networks. I also have port forwarding turned on the external interface for 443 to one of my internal web servers. This works fine, except if I want to test this internally, and go to the External IP address via SSL, it is trying to log into the management instead of forwarding the ports.

This also causes problems with people using Phones on WiFi, trying to hit my Webmail server. DNS reports external IP address, but they cannot hit it because they are internal. If I change the DNS to use the internal IP of the server, it is causing a cert error.

This is probably a simple fix, but its been several months since I worked with these routers, and I don't see where I can set this security setting.

Re: Procurve 7102

Gerhard Roets — Fri, 30 Apr 2010 07:55:29 GMT

Hi William

Just an idea ... why not just change the secure management web server port number ?

ADSL-7102(config)#ip http secure-server

- Specify an alternate port for the HTTPS

HTH
Gerhard

Re: Procurve 7102

William E Howard — Fri, 30 Apr 2010 13:13:23 GMT

Great idea, tried it out, didn't work. :(
It is still not redirecting all web traffic I direct to my router.

I'll call Procurve support, see if they can solve this.

Re: Procurve 7102

William E Howard — Fri, 30 Apr 2010 14:50:52 GMT

Well, HP didn't know the answer. Said there was no way to just turn off management for the external interface.

They recommended setting up an ACL, blocking SSL traffic from hitting my external IP address, but I am afraid that will stop people from being able to browse SSL websites.

I think what I need to do is setup a static route, for all internal traffic directed to my external IP, send it to the gateway for my external IP, then let it come back.

Anyone have any thoughts or better ideas?

Re: Procurve 7102

Olaf Borowski — Fri, 30 Apr 2010 23:38:12 GMT

William,

It is all a matter of the access policy. For your port-forwarding, it is applied to the external interface meaning, when a packet is coming in from an external network, this policy gets applied. You are coming in from the inside, where a different policy is applied (probably NAT or self). You would have to modify the access policy (self or NAT) to port-forward (or route) to your 443 port instead of the router (self hits the router). Look at the output of the command "show ip policy-session" to see which policy hit when you use SSL to access your server. I suspect "self".

Olaf

Re: Procurve 7102

William E Howard — Mon, 03 May 2010 14:50:08 GMT

Olaf,

I setup a port forward on the Access Policy bound to my internal interface, now SSL traffic bound for my external IP just seems to die if I have it before my NAT policy, and doesn't do anything if it is after my NAT policy.

Doesn't show up at all in the show ip policy-sessions that I can find, whether I have port forwarding turned on or not.

Early on I tried to setup a second external IP address to segregate traffic between outgoing and incoming, but it wouldn't let me have two interfaces on the same VLAN (I require external VLAN tagging).

If I change the SSL management port, it still doesn't redirect. I have gone into my NAT settings, and told it to NOT NAT traffic that is destined for my external IP address, but still no dice.

I know it has to be possible, but I'll be damned if I can find the right combination.

Re: Procurve 7102

Gerhard Roets — Tue, 04 May 2010 06:18:44 GMT

Hi Will

Here is a snippet of my config

interface eth 0/1
ip address x.y.z.130 255.255.255.240
ip address x.y.z.131 255.255.255.240 secondary
ip address x.y.z.132 255.255.255.240 secondary
access-policy Public
.... (NOTE FOR BELOW i USE TAGGING INTERNALLY)
interface eth 0/2.1
description Production Network
vlan-id 1
no shutdown
ip address 192.168.1.254 255.255.255.0
access-policy Private

ip access-list extended Linux1
remark Port Forward MRV-1
permit tcp any host 82.94.126.131 eq ssh log
!
ip access-list extended Linux2
remark Port Forward MRV-2
permit tcp any host x.y.z.132 eq ssh log
!
....
ip policy-class Public
nat destination list Linux1 address 192.168.1.1
nat destination list Linux2 address 192.168.1.2

Seems the key here is ... That they all point to secondary addresses.

HTH

Re: Procurve 7102

William E Howard — Tue, 04 May 2010 16:11:00 GMT

I actually tried something like that early on, but the issue I ran into is that I cannot have multiple sub interfaces on the same VLAN, and I require VLAN tagging on all external interfaces.

My internet connection is setup so that, any traffic on a specific VLAN routes to the internet. If it is not on a VLAN, or on a different one, then it is routed between my sites without leaving the telco's backbone. Makes things very fast between sites, but I worked with Procurve and couldn't come up with a way to have multiple external IP addresses on the same VLAN and subnet.