Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...I signed up to your site to get help with a problem and I am so glad I did. I found the help I needed immediately. Thanks to all who contribute to your site..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > MIS/IT > Security Solutions > Cisco Systems: IOS Firewall Forum

Traffic on port 80 not coming in

thread34-1284201
Read More Threads Like This One
trojanman (IS/IT--Management)
28 Sep 06 19:34
We have an external address X.X.X.244 that gets nat'd to an internal device 192.168.1.6.  Traffic on port 80 is not coming in.  Im no Cisco guru but I think there is a problem with one of the ACL's.  Any help is appreciated.

CODE

 description Servers
 encapsulation dot1Q 11
 ip address 10.10.11.1 255.255.255.0
 ip nat inside
 ip inspect STUFF in
 ip virtual-reassembly
 no snmp trap link-status
!
interface GigabitEthernet0/1
 ip address X.X.X.242 255.255.255.248
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map STUFFMAP
!
interface Serial0/0/0:23
 no ip address
 isdn switch-type primary-5ess
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
!
interface Serial0/0/1:0
 description ***T1 to Sub-Office***
 ip unnumbered GigabitEthernet0/0.1
 ip nat inside
 ip inspect UFC in
 ip virtual-reassembly
 service-policy output voicepriority
!
router eigrp 100
 network 1.1.0.0 0.0.255.255
 network 10.10.0.0 0.0.255.255
 network 192.168.0.0 0.0.255.255
 auto-summary
!

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 10.10.20.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 10.10.11.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 10.10.11.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.11.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 150 deny   ip host 192.168.1.9 192.168.1.0 0.0.0.255
access-list 150 deny   ip host 192.168.1.9 192.168.2.0 0.0.0.255
access-list 150 deny   ip host 192.168.1.9 192.168.50.0 0.0.0.255
access-list 150 permit ip host 192.168.1.9 any
access-list 160 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255
access-list 170 permit tcp host 192.168.1.6 any eq smtp
access-list 170 permit udp host 192.168.1.6 any eq domain
access-list 170 permit tcp host 192.168.1.6 any eq domain
access-list 170 permit tcp host 192.168.1.6 any eq 443
access-list 170 permit tcp host 192.168.1.6 any eq www
access-list 170 permit udp host 192.168.1.6 any eq ntp
access-list 170 deny   ip host 192.168.1.6 any
access-list 170 permit ip any any
access-list 199 permit tcp any host X.X.X.243 eq smtp
access-list 199 permit esp any any
access-list 199 permit udp any any eq isakmp
access-list 199 permit udp any any eq non500-isakmp
access-list 199 permit tcp any host X.X.X.243 eq pop3
access-list 199 permit tcp any host X.X.X.243 eq www
access-list 199 permit tcp any host X.X.X.243 eq 443
access-list 199 permit tcp any host X.X.X.242 eq telnet
access-list 199 permit tcp any host X.X.X.244 eq 22
access-list 199 permit tcp any host X.X.X.244 eq www
access-list 199 permit tcp any host X.X.X.244 eq 443
access-list 199 permit icmp any X.X.X.240 0.0.0.7 echo-reply
access-list 199 permit icmp any X.X.X.240 0.0.0.7 traceroute
access-list 199 permit icmp any X.X.X.240 0.0.0.7 time-exceeded
access-list 199 permit icmp any X.X.X.240 0.0.0.7 unreachable
access-list 199 permit tcp any any eq 10000
access-list 199 permit ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.11.0 0.0.0.255
UnaBomber (TechnicalUser)
2 Oct 06 18:01
ACL looks ok, are you sure it isnt the NAT that is incorrect?

I dont see the 192.168.1.0 subnet in your config?

The acl 190 allows traffic from any host to X.X.X.244 which eq uals www (80). ---> Looks ok

The acl allows traffic first, then Natting does its thing so having x.x.x.244 in acl is correct.

If you really think its the acl, why dont you do either a permit ip any any log or deny ip any any log statement at the end of the 199 acl and then look in your logs after you attempt to connect to www on x.x.x.244?

UnaBomber
ccnp mcse2k
Triplejolt (IS/IT--Management)
1 Nov 06 7:30
I'm gonna asume this to be your outside interface:
interface GigabitEthernet0/1
 ip address X.X.X.242 255.255.255.248
 ip access-group 199 in

Please look at these two lines:

CODE

access-list 199 permit tcp any host X.X.X.243 eq www
access-list 199 permit tcp any host X.X.X.244 eq www
Are either of these the internal address of your server? If not, change one of them to match the internal address. You can't use the public outside address for traffic destined for the inside in your ACL.

A firm beleiver of the "Keep it Simple" philosophy
Cheers
/T
Triplejolt (IS/IT--Management)
1 Nov 06 7:32
Eg.

CODE

access-list 199 permit tcp any host 192.168.1.6 eq www

A firm beleiver of the "Keep it Simple" philosophy
Cheers
/T
UnaBomber (TechnicalUser)
24 Nov 06 8:36

Quote:

Are either of these the internal address of your server? If not, change one of them to match the internal address. You can't use the public outside address for traffic destined for the inside in your ACL.

Errmmm... Unless a pix behaves differently than a Cisco Router doing nat, this is not correct...

Nat's order of operation is as follows from outside to inside:

If IPSec then check input access list
decryption - for CET or IPSec
check input access list
check input rate limits
input accounting
NAT outside to inside (global to local translation)
policy routing
routing
..

http://www.cisco.com/warp/public/556/5.html

You ACL needs to allow for traffic going to the global address not the local address

UnaBomber
ccnp mcse2k
Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Cisco Systems: IOS Firewall

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close