Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Re: Procurve 7102

Regular Advisor

Procurve 7102

I have a 7102 router as my external router, and I am running into an issue. I have it set to only allow management via SSL from the internal networks. I also have port forwarding turned on the external interface for 443 to one of my internal web servers. This works fine, except if I want to test this internally, and go to the External IP address via SSL, it is trying to log into the management instead of forwarding the ports.

This also causes problems with people using Phones on WiFi, trying to hit my Webmail server. DNS reports external IP address, but they cannot hit it because they are internal. If I change the DNS to use the internal IP of the server, it is causing a cert error.

This is probably a simple fix, but its been several months since I worked with these routers, and I don't see where I can set this security setting.

Esteemed Contributor

Re: Procurve 7102

Hi William

Just an idea ... why not just change the secure management web server port number ?

ADSL-7102(config)#ip http secure-server

- Specify an alternate port for the HTTPS

Regular Advisor

Re: Procurve 7102

Great idea, tried it out, didn't work. :(
It is still not redirecting all web traffic I direct to my router.

I'll call Procurve support, see if they can solve this.
Regular Advisor

Re: Procurve 7102

Well, HP didn't know the answer. Said there was no way to just turn off management for the external interface.

They recommended setting up an ACL, blocking SSL traffic from hitting my external IP address, but I am afraid that will stop people from being able to browse SSL websites.

I think what I need to do is setup a static route, for all internal traffic directed to my external IP, send it to the gateway for my external IP, then let it come back.

Anyone have any thoughts or better ideas?
Respected Contributor

Re: Procurve 7102


It is all a matter of the access policy. For your port-forwarding, it is applied to the external interface meaning, when a packet is coming in from an external network, this policy gets applied. You are coming in from the inside, where a different policy is applied (probably NAT or self). You would have to modify the access policy (self or NAT) to port-forward (or route) to your 443 port instead of the router (self hits the router). Look at the output of the command "show ip policy-session" to see which policy hit when you use SSL to access your server. I suspect "self".

Regular Advisor

Re: Procurve 7102


I setup a port forward on the Access Policy bound to my internal interface, now SSL traffic bound for my external IP just seems to die if I have it before my NAT policy, and doesn't do anything if it is after my NAT policy.

Doesn't show up at all in the show ip policy-sessions that I can find, whether I have port forwarding turned on or not.

Early on I tried to setup a second external IP address to segregate traffic between outgoing and incoming, but it wouldn't let me have two interfaces on the same VLAN (I require external VLAN tagging).

If I change the SSL management port, it still doesn't redirect. I have gone into my NAT settings, and told it to NOT NAT traffic that is destined for my external IP address, but still no dice.

I know it has to be possible, but I'll be damned if I can find the right combination.
Esteemed Contributor

Re: Procurve 7102

Hi Will

Here is a snippet of my config

interface eth 0/1
ip address x.y.z.130
ip address x.y.z.131 secondary
ip address x.y.z.132 secondary
access-policy Public
interface eth 0/2.1
description Production Network
vlan-id 1
no shutdown
ip address
access-policy Private

ip access-list extended Linux1
remark Port Forward MRV-1
permit tcp any host eq ssh log
ip access-list extended Linux2
remark Port Forward MRV-2
permit tcp any host x.y.z.132 eq ssh log
ip policy-class Public
nat destination list Linux1 address
nat destination list Linux2 address

Seems the key here is ... That they all point to secondary addresses.

Regular Advisor

Re: Procurve 7102

I actually tried something like that early on, but the issue I ran into is that I cannot have multiple sub interfaces on the same VLAN, and I require VLAN tagging on all external interfaces.

My internet connection is setup so that, any traffic on a specific VLAN routes to the internet. If it is not on a VLAN, or on a different one, then it is routed between my sites without leaving the telco's backbone. Makes things very fast between sites, but I worked with Procurve and couldn't come up with a way to have multiple external IP addresses on the same VLAN and subnet.