Traffic on port 80 not coming in

[trojanman]

We have an external address X.X.X.244 that gets nat'd to an internal device 192.168.1.6. Traffic on port 80 is not coming in. Im no Cisco guru but I think there is a problem with one of the ACL's. Any help is appreciated.

 description Servers
 encapsulation dot1Q 11
 ip address 10.10.11.1 255.255.255.0
 ip nat inside
 ip inspect STUFF in
 ip virtual-reassembly
 no snmp trap link-status
!
interface GigabitEthernet0/1
 ip address X.X.X.242 255.255.255.248
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map STUFFMAP
!
interface Serial0/0/0:23
 no ip address
 isdn switch-type primary-5ess
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
!
interface Serial0/0/1:0
 description ***T1 to Sub-Office***
 ip unnumbered GigabitEthernet0/0.1
 ip nat inside
 ip inspect UFC in
 ip virtual-reassembly
 service-policy output voicepriority
!
router eigrp 100
 network 1.1.0.0 0.0.255.255
 network 10.10.0.0 0.0.255.255
 network 192.168.0.0 0.0.255.255
 auto-summary
!

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 10.10.20.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny   ip 10.10.11.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 10.10.11.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.11.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 150 deny   ip host 192.168.1.9 192.168.1.0 0.0.0.255
access-list 150 deny   ip host 192.168.1.9 192.168.2.0 0.0.0.255
access-list 150 deny   ip host 192.168.1.9 192.168.50.0 0.0.0.255
access-list 150 permit ip host 192.168.1.9 any
access-list 160 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255
access-list 170 permit tcp host 192.168.1.6 any eq smtp
access-list 170 permit udp host 192.168.1.6 any eq domain
access-list 170 permit tcp host 192.168.1.6 any eq domain
access-list 170 permit tcp host 192.168.1.6 any eq 443
access-list 170 permit tcp host 192.168.1.6 any eq www
access-list 170 permit udp host 192.168.1.6 any eq ntp
access-list 170 deny   ip host 192.168.1.6 any
access-list 170 permit ip any any
access-list 199 permit tcp any host X.X.X.243 eq smtp
access-list 199 permit esp any any
access-list 199 permit udp any any eq isakmp
access-list 199 permit udp any any eq non500-isakmp
access-list 199 permit tcp any host X.X.X.243 eq pop3
access-list 199 permit tcp any host X.X.X.243 eq www
access-list 199 permit tcp any host X.X.X.243 eq 443
access-list 199 permit tcp any host X.X.X.242 eq telnet
access-list 199 permit tcp any host X.X.X.244 eq 22
access-list 199 permit tcp any host X.X.X.244 eq www
access-list 199 permit tcp any host X.X.X.244 eq 443
access-list 199 permit icmp any X.X.X.240 0.0.0.7 echo-reply
access-list 199 permit icmp any X.X.X.240 0.0.0.7 traceroute
access-list 199 permit icmp any X.X.X.240 0.0.0.7 time-exceeded
access-list 199 permit icmp any X.X.X.240 0.0.0.7 unreachable
access-list 199 permit tcp any any eq 10000
access-list 199 permit ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.11.0 0.0.0.255

 

[UnaBomber]

ACL looks ok, are you sure it isnt the NAT that is incorrect?

I dont see the 192.168.1.0 subnet in your config?

The acl 190 allows traffic from any host to X.X.X.244 which eq uals

http://www (80).

---> Looks ok

The acl allows traffic first, then Natting does its thing so having x.x.x.244 in acl is correct.

If you really think its the acl, why dont you do either a permit ip any any log or deny ip any any log statement at the end of the 199 acl and then look in your logs after you attempt to connect to

http://www on

x.x.x.244?

UnaBomber
ccnp mcse2k

 

[Triplejolt]

I'm gonna asume this to be your outside interface:
interface GigabitEthernet0/1
ip address X.X.X.242 255.255.255.248
ip access-group 199 in

Please look at these two lines:

access-list 199 permit tcp any host X.X.X.243 eq www
access-list 199 permit tcp any host X.X.X.244 eq www

Are either of these the internal address of your server? If not, change one of them to match the internal address. You can't use the public outside address for traffic destined for the inside in your ACL.

A firm beleiver of the "Keep it Simple" philosophy
Cheers
/T

 

[Triplejolt]

Eg.

access-list 199 permit tcp any host 192.168.1.6 eq www

A firm beleiver of the "Keep it Simple" philosophy
Cheers
/T

 

[UnaBomber]

Are either of these the internal address of your server? If not, change one of them to match the internal address. You can't use the public outside address for traffic destined for the inside in your ACL.

Errmmm... Unless a pix behaves differently than a Cisco Router doing nat, this is not correct...

Nat's order of operation is as follows from outside to inside:

If IPSec then check input access list
decryption - for CET or IPSec
check input access list
check input rate limits
input accounting
NAT outside to inside (global to local translation)
policy routing
routing
..

http://www.cisco.com/warp/public/556/5.html

You ACL needs to allow for traffic going to the global address not the local address

UnaBomber
ccnp mcse2k