Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

publish web site

hi,

I am trying to publish a web site on 80.2.100.85/80 and access it from 78.109.177.183. when I try to access the server on port 80, I get the following log message: Deny tcp src WAN:78.109.177.183/64679 dst PRG_LAN:80.2.100.85/80 by access-group "PRG_WAN_access_in" but the config looks right to me. can anybody help?

config below:

global (WAN) 2 80.2.100.75-80.2.100.87 netmask 255.255.255.0

global (WAN) 1 interface

static (PRG_LAN,WAN) tcp 80.2.100.85 www 192.168.123.34 www netmask 255.255.255.255

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.74 eq ssh

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.84 eq www

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.85 eq www

access-group PRG_WAN_access_in in interface WAN

10 REPLIES

Re: publish web site

issue on the cli "clear xlate" and try again, also put a line at the bottom of the acl:-

access-list PRG_WAN_access_in extended deny ip any any log

then check your logs.

HTH>

Community Member

Re: publish web site

hi,

unfortunatly clear xlate didn't help

and the log information is not showing me anything else.

Re: publish web site

post the output from:-

show xlate

show access-list

Community Member

Re: publish web site

attachment added with output

Re: publish web site

OK - my ovbservations:-

1) you did get a hit for the http acl for the web server - check your server is actaully listening on tcp port 80

2) You are getting alog of denies - are you trying to access the website via DNS or direct IP

3) Is by DNS check the IP address the url is resolving to is the same as the acl & static nat

4) Try changing the PAT to a NAT:-

remove

static (PRG_LAN,WAN) tcp 80.2.100.85 www 192.168.123.34 www netmask 255.255.255.255

replace

static (PRG_LAN,WAN) 80.2.100.85 192.168.123.34 netmask 255.255.255.255

And re-test.

Community Member

Re: publish web site

hi,

I can successfully telnet 192.168.123.34 80 so I believe the server is listening on port 80

My test is to telnet 80.2.100.85 80 rather than use DNS

I have done a NAT translation as advised but still no look

Re: publish web site

Where are you testing from, the inside or the outside?

Check your NAT/ACL again

Community Member

Re: publish web site

I have tested it from inside and 2 x outside locations but still no luck. I will check the NAT/ACL again.

Thanks for your help

Community Member

Re: publish web site

wood for the trees....

the problem was a typo in the ACL. I was putting 82 instead of 80 in the first octet.

sorry

Re: publish web site

np - glad to help.

149
Views
3
Helpful
10
Replies
CreatePlease to create content