cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2861
Views
25
Helpful
18
Replies

Access Rules - Action - DROP

wynneitmgr
Level 3
Level 3

I am new to managing Firewalls, so any help would be appreciated. We have a link on our website that goes to one of our internal servers that we have. However, nothing is happening when I click the link on our website. When I do a Packet Trace, it shows that it DROPs at the ACCESS-LIST. Any ideas what I can check? I have attached some screenshots. Thank you in advance.

firewall1.pngfirewall2.png

1 Accepted Solution

Accepted Solutions

You link is for HTTPS but your ACL only permits HTTP, therefore any connection on https will be dropped by the implicit deny at the end of the ACL.

 

You need to amend the ACL rule to include HTTPS.

You need to look at the properties of the WYNEAPPS1 and determine what IP address is defined, hopefully it is the private IP address.

View solution in original post

18 Replies 18

Jaderson Pessoa
VIP Alumni
VIP Alumni
Hello,

Check on the logs and do a filter to check specific address. According to your rules, all internal rules to internal and external address are allowed.

Are you checked if the service under the server is enabled as well?
Jaderson Pessoa
*** Rate All Helpful Responses ***

Hi Jaderson,

 

Thank you for your feedback, I appreciate it as I am still learning Cisco Firewalls.

 

Which service should I check on the server? I am also not sure where to access the logs you are talking about. Please be patient, I am a novice. Appreciate your help!

Does the Global Implicit Rule that shows Deny, have anything to do with traffic being blocked from accessing the IP?

Hi,
Unfortunately it's possible to determine the issue from the screenshot.

Are you referring to rule #2 inbound on the outside interface - http to WYNNEAPPS1?
Have you defined a static NAT for that server - mapping the public ip address to the real/private ip address?
Does the object WYNNEAPPS1 reference the real/private IP address of the server? The ACL needs to reference the real/private IP address rather than the public ip address.

If you provided your configuration we could probably easily determine the issue

HTH

So WYNNEAPPS1 is the name of the server that the link on our website is trying to access. Here is the link from our website: https://63.147.191.67/Ships5Web/Application/. Thank you for your help!

 

Here is what I have under NAT Rules

firewall3.png

You link is for HTTPS but your ACL only permits HTTP, therefore any connection on https will be dropped by the implicit deny at the end of the ACL.

 

You need to amend the ACL rule to include HTTPS.

You need to look at the properties of the WYNEAPPS1 and determine what IP address is defined, hopefully it is the private IP address.

Thank you!

 

I changed the Access Rule to include HTTPS

firewall5.png

 

The properties of WYNNEAPPS1 show the correct ip addresses

firewall4.png

Ok, I can access you URL so I assume all is working and your issue is resolved?

HTH

Yes, I can access the link if I am outside of my network or on data on  a cell phone. However, I still cannot access it from my computer at the office. Do I need another rule so I can access it from office network? Thanks!

You should access the server directly, using it's real/private IP address (10.0.0.3) - not via the firewall on the natted ip address.

So if I am on my office network and go to our website the link is not going to work. So I need to access it by using the local IP 10.0.0.3? I thought maybe if I had a rule in place, I would still be able to access it directly from our website. The reason being, all my users do not know the local IP 10.0.0.3, they would just go to our website and click the link. Any workaround for this?

Create a FQDN that when inside the network resolves to the private IP address, and when outside the network resolves to the nat IP address. I suggest getting a valid public signed certificate for the site aswell.

Where do I create the FQDN? Is that under Access or NAT Rules?

Sorry, I was referring to creating a DNS entry on your local DNS server which resolves to the private IP address and another entry with your external DNS provider resolving to the NAT ip address.
Review Cisco Networking for a $25 gift card