Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cant Get to Website!!


have a website which resides in

I can access it from the internal network. Yet from the WAN I cannot. Now the interesting part is that the routers on the WAN connection can succesfully ping that address.

The address it is trying to be accessed from is

I have added the following to the WAN router right under the standard ACL:

100 permit ip any host

110 permit tcp any host eq www

120 permit tcp host eq www host eq www

130 permit tcp host eq www host eq www

140 permit tcp any host

150 permit tcp any any (3 matches)

It does go through a tunnel where the tunnel address is

this tunnen end at our internal side router and on that router we have:

Extended IP access list 101

10 permit tcp host host eq www

20 permit ip host

30 permit tcp any host eq www

40 permit tcp any host eq www

50 permit ip any any

yet nothing.. ANY HELP WOULD BE GREAT!

  • WAN Routing and Switching
Hall of Fame Super Silver

Cant Get to Website!!

I am having some difficulty in understanding the relationships. Perhaps some type of diagram would be helpful. And some more config details would be helpful as well.

Based on your comment about a tunnel I will make a guess that the problem you face may be related to MTU. When you have tunnels they encapsulate the traffic and the result is a packet that is longer than what the originating host sent. If the host sends a frame that is already 1500 and the router adds some bytes for encapsulation then the result is a frame that is too big and requires fragmentation, which may be a problem. So I would suggest configuring ip tcp adjust-mss on routers on both ends of the tunnel.

If that does not help then please supply some additional detail.

I will also point out that if you configure this

permit ip any host

that it makes these lines that follow it redundant. They will never get a match

permit tcp any host eq www

permit tcp host eq www host eq www

permit tcp host eq www host eq www

it is also problematic to specify eq www on both the source port and the destination port.



This widget could not be displayed.