Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cant Get to Website!!

OK..

have a website which resides in 10.10.102.2

I can access it from the internal network. Yet from the WAN I cannot. Now the interesting part is that the routers on the WAN connection can succesfully ping that address.

The address it is trying to be accessed from is 10.10.10.3

I have added the following to the WAN router right under the standard ACL:

100 permit ip any host 10.10.102.2

110 permit tcp any host 10.10.102.2 eq www

120 permit tcp host 10.10.10.3 eq www host 10.10.102.2 eq www

130 permit tcp host 10.10.102.2 eq www host 10.10.10.3 eq www

140 permit tcp any host 10.10.10.3

150 permit tcp any any (3 matches)

It does go through a tunnel where the tunnel address is 192.168.122.101

this tunnen end at our internal side router and on that router we have:

Extended IP access list 101

10 permit tcp host 192.168.122.101 host 10.10.102.2 eq www

20 permit ip 10.10.10.0 0.0.0.255 host 10.10.102.2

30 permit tcp any host 10.10.102.2 eq www

40 permit tcp any host 10.10.10.3 eq www

50 permit ip any any

yet nothing.. ANY HELP WOULD BE GREAT!

  • WAN Routing and Switching
1 REPLY
Hall of Fame Super Silver

Cant Get to Website!!

I am having some difficulty in understanding the relationships. Perhaps some type of diagram would be helpful. And some more config details would be helpful as well.

Based on your comment about a tunnel I will make a guess that the problem you face may be related to MTU. When you have tunnels they encapsulate the traffic and the result is a packet that is longer than what the originating host sent. If the host sends a frame that is already 1500 and the router adds some bytes for encapsulation then the result is a frame that is too big and requires fragmentation, which may be a problem. So I would suggest configuring ip tcp adjust-mss on routers on both ends of the tunnel.

If that does not help then please supply some additional detail.

I will also point out that if you configure this

permit ip any host 10.10.102.2

that it makes these lines that follow it redundant. They will never get a match

permit tcp any host 10.10.102.2 eq www

permit tcp host 10.10.10.3 eq www host 10.10.102.2 eq www

permit tcp host 10.10.102.2 eq www host 10.10.10.3 eq www

it is also problematic to specify eq www on both the source port and the destination port.

HTH

Rick

85
Views
0
Helpful
1
Replies
This widget could not be displayed.