HPE Community
Switches, Hubs, and Modems
1752646 Members
5926 Online
108788 Solutions
New Discussion юеВ

Re: Procurve 7102

 
William E Howard
Regular Advisor

тАО04-29-2010 03:03 PM

тАО04-29-2010 03:03 PM

Procurve 7102

I have a 7102 router as my external router, and I am running into an issue. I have it set to only allow management via SSL from the internal networks. I also have port forwarding turned on the external interface for 443 to one of my internal web servers. This works fine, except if I want to test this internally, and go to the External IP address via SSL, it is trying to log into the management instead of forwarding the ports.

This also causes problems with people using Phones on WiFi, trying to hit my Webmail server. DNS reports external IP address, but they cannot hit it because they are internal. If I change the DNS to use the internal IP of the server, it is causing a cert error.

This is probably a simple fix, but its been several months since I worked with these routers, and I don't see where I can set this security setting.

0 Kudos
7 REPLIES 7
Gerhard Roets
Esteemed Contributor

тАО04-30-2010 12:55 AM

тАО04-30-2010 12:55 AM

Re: Procurve 7102

Hi William

Just an idea ... why not just change the secure management web server port number ?

ADSL-7102(config)#ip http secure-server

- Specify an alternate port for the HTTPS

HTH
Gerhard
0 Kudos
William E Howard
Regular Advisor

тАО04-30-2010 06:13 AM

тАО04-30-2010 06:13 AM

Re: Procurve 7102

Great idea, tried it out, didn't work. :(
It is still not redirecting all web traffic I direct to my router.

I'll call Procurve support, see if they can solve this.
0 Kudos
William E Howard
Regular Advisor

тАО04-30-2010 07:50 AM

тАО04-30-2010 07:50 AM

Re: Procurve 7102

Well, HP didn't know the answer. Said there was no way to just turn off management for the external interface.

They recommended setting up an ACL, blocking SSL traffic from hitting my external IP address, but I am afraid that will stop people from being able to browse SSL websites.

I think what I need to do is setup a static route, for all internal traffic directed to my external IP, send it to the gateway for my external IP, then let it come back.

Anyone have any thoughts or better ideas?
0 Kudos
Olaf Borowski
Respected Contributor

тАО04-30-2010 04:38 PM

тАО04-30-2010 04:38 PM

Re: Procurve 7102

William,

It is all a matter of the access policy. For your port-forwarding, it is applied to the external interface meaning, when a packet is coming in from an external network, this policy gets applied. You are coming in from the inside, where a different policy is applied (probably NAT or self). You would have to modify the access policy (self or NAT) to port-forward (or route) to your 443 port instead of the router (self hits the router). Look at the output of the command "show ip policy-session" to see which policy hit when you use SSL to access your server. I suspect "self".

Olaf
0 Kudos
William E Howard
Regular Advisor

тАО05-03-2010 07:50 AM

тАО05-03-2010 07:50 AM

Re: Procurve 7102

Olaf,

I setup a port forward on the Access Policy bound to my internal interface, now SSL traffic bound for my external IP just seems to die if I have it before my NAT policy, and doesn't do anything if it is after my NAT policy.

Doesn't show up at all in the show ip policy-sessions that I can find, whether I have port forwarding turned on or not.

Early on I tried to setup a second external IP address to segregate traffic between outgoing and incoming, but it wouldn't let me have two interfaces on the same VLAN (I require external VLAN tagging).

If I change the SSL management port, it still doesn't redirect. I have gone into my NAT settings, and told it to NOT NAT traffic that is destined for my external IP address, but still no dice.

I know it has to be possible, but I'll be damned if I can find the right combination.
0 Kudos
Gerhard Roets
Esteemed Contributor

тАО05-03-2010 11:18 PM

тАО05-03-2010 11:18 PM

Re: Procurve 7102

Hi Will

Here is a snippet of my config

interface eth 0/1
ip address x.y.z.130 255.255.255.240
ip address x.y.z.131 255.255.255.240 secondary
ip address x.y.z.132 255.255.255.240 secondary
access-policy Public
.... (NOTE FOR BELOW i USE TAGGING INTERNALLY)
interface eth 0/2.1
description Production Network
vlan-id 1
no shutdown
ip address 192.168.1.254 255.255.255.0
access-policy Private

ip access-list extended Linux1
remark Port Forward MRV-1
permit tcp any host 82.94.126.131 eq ssh log
!
ip access-list extended Linux2
remark Port Forward MRV-2
permit tcp any host x.y.z.132 eq ssh log
!
....
ip policy-class Public
nat destination list Linux1 address 192.168.1.1
nat destination list Linux2 address 192.168.1.2

Seems the key here is ... That they all point to secondary addresses.

HTH
0 Kudos
William E Howard
Regular Advisor

тАО05-04-2010 09:11 AM

тАО05-04-2010 09:11 AM

Re: Procurve 7102

I actually tried something like that early on, but the issue I ran into is that I cannot have multiple sub interfaces on the same VLAN, and I require VLAN tagging on all external interfaces.

My internet connection is setup so that, any traffic on a specific VLAN routes to the internet. If it is not on a VLAN, or on a different one, then it is routed between my sites without leaving the telco's backbone. Makes things very fast between sites, but I worked with Procurve and couldn't come up with a way to have multiple external IP addresses on the same VLAN and subnet.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.