topic Re: publish web site in Network Security

publish web site

jaimewalker — Mon, 11 Mar 2019 16:06:58 GMT

hi,

I am trying to publish a web site on 80.2.100.85/80 and access it from 78.109.177.183. when I try to access the server on port 80, I get the following log message: Deny tcp src WAN:78.109.177.183/64679 dst PRG_LAN:80.2.100.85/80 by access-group "PRG_WAN_access_in" but the config looks right to me. can anybody help?

config below:

global (WAN) 2 80.2.100.75-80.2.100.87 netmask 255.255.255.0

global (WAN) 1 interface

static (PRG_LAN,WAN) tcp 80.2.100.85 www 192.168.123.34 www netmask 255.255.255.255

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.74 eq ssh

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.84 eq www

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.85 eq www

access-group PRG_WAN_access_in in interface WAN

Re: publish web site

andrew.prince — Tue, 18 Aug 2009 09:18:55 GMT

issue on the cli "clear xlate" and try again, also put a line at the bottom of the acl:-

access-list PRG_WAN_access_in extended deny ip any any log

then check your logs.

HTH>

Re: publish web site

jaimewalker — Tue, 18 Aug 2009 10:08:05 GMT

hi,

unfortunatly clear xlate didn't help

and the log information is not showing me anything else.

Re: publish web site

andrew.prince — Tue, 18 Aug 2009 10:08:59 GMT

post the output from:-

show xlate

show access-list

Re: publish web site

jaimewalker — Tue, 18 Aug 2009 10:16:14 GMT

attachment added with output

Re: publish web site

andrew.prince — Tue, 18 Aug 2009 10:19:57 GMT

OK - my ovbservations:-

1) you did get a hit for the http acl for the web server - check your server is actaully listening on tcp port 80

2) You are getting alog of denies - are you trying to access the website via DNS or direct IP

3) Is by DNS check the IP address the url is resolving to is the same as the acl & static nat

4) Try changing the PAT to a NAT:-

remove

static (PRG_LAN,WAN) tcp 80.2.100.85 www 192.168.123.34 www netmask 255.255.255.255

replace

static (PRG_LAN,WAN) 80.2.100.85 192.168.123.34 netmask 255.255.255.255

And re-test.

Re: publish web site

jaimewalker — Tue, 18 Aug 2009 10:30:45 GMT

hi,

I can successfully telnet 192.168.123.34 80 so I believe the server is listening on port 80

My test is to telnet 80.2.100.85 80 rather than use DNS

I have done a NAT translation as advised but still no look

Re: publish web site

andrew.prince — Tue, 18 Aug 2009 10:50:43 GMT

Where are you testing from, the inside or the outside?

Check your NAT/ACL again

Re: publish web site

jaimewalker — Tue, 18 Aug 2009 10:59:12 GMT

I have tested it from inside and 2 x outside locations but still no luck. I will check the NAT/ACL again.

Thanks for your help

Re: publish web site

jaimewalker — Wed, 19 Aug 2009 06:44:42 GMT

wood for the trees....

the problem was a typo in the ACL. I was putting 82 instead of 80 in the first octet.

sorry

Re: publish web site

andrew.prince — Wed, 19 Aug 2009 07:42:31 GMT

np - glad to help.