Solved: Re: Access Rules - Action - DROP

wynneitmgr · ‎02-07-2020

I am new to managing Firewalls, so any help would be appreciated. We have a link on our website that goes to one of our internal servers that we have. However, nothing is happening when I click the link on our website. When I do a Packet Trace, it shows that it DROPs at the ACCESS-LIST. Any ideas what I can check? I have attached some screenshots. Thank you in advance.

Rob Ingram · ‎02-07-2020

You link is for HTTPS but your ACL only permits HTTP, therefore any connection on https will be dropped by the implicit deny at the end of the ACL.

You need to amend the ACL rule to include HTTPS.

You need to look at the properties of the WYNEAPPS1 and determine what IP address is defined, hopefully it is the private IP address.

View solution in original post

Jaderson Pessoa · ‎02-07-2020

Hello,

Check on the logs and do a filter to check specific address. According to your rules, all internal rules to internal and external address are allowed.

Are you checked if the service under the server is enabled as well?

Jaderson Pessoa
*** Rate All Helpful Responses ***

wynneitmgr · ‎02-07-2020

Hi Jaderson,

Thank you for your feedback, I appreciate it as I am still learning Cisco Firewalls.

Which service should I check on the server? I am also not sure where to access the logs you are talking about. Please be patient, I am a novice. Appreciate your help!

wynneitmgr · ‎02-07-2020

Does the Global Implicit Rule that shows Deny, have anything to do with traffic being blocked from accessing the IP?

Rob Ingram · ‎02-07-2020

Hi,
Unfortunately it's possible to determine the issue from the screenshot.

Are you referring to rule #2 inbound on the outside interface - http to WYNNEAPPS1?
Have you defined a static NAT for that server - mapping the public ip address to the real/private ip address?
Does the object WYNNEAPPS1 reference the real/private IP address of the server? The ACL needs to reference the real/private IP address rather than the public ip address.

If you provided your configuration we could probably easily determine the issue

HTH

wynneitmgr · ‎02-07-2020

So WYNNEAPPS1 is the name of the server that the link on our website is trying to access. Here is the link from our website: https://63.147.191.67/Ships5Web/Application/. Thank you for your help!

Here is what I have under NAT Rules

Rob Ingram · ‎02-07-2020

You link is for HTTPS but your ACL only permits HTTP, therefore any connection on https will be dropped by the implicit deny at the end of the ACL.

You need to amend the ACL rule to include HTTPS.

You need to look at the properties of the WYNEAPPS1 and determine what IP address is defined, hopefully it is the private IP address.

wynneitmgr · ‎02-07-2020

Thank you!

I changed the Access Rule to include HTTPS

The properties of WYNNEAPPS1 show the correct ip addresses

Rob Ingram · ‎02-07-2020

Ok, I can access you URL so I assume all is working and your issue is resolved?

HTH

wynneitmgr · ‎02-07-2020

Yes, I can access the link if I am outside of my network or on data on a cell phone. However, I still cannot access it from my computer at the office. Do I need another rule so I can access it from office network? Thanks!

Rob Ingram · ‎02-07-2020

You should access the server directly, using it's real/private IP address (10.0.0.3) - not via the firewall on the natted ip address.

wynneitmgr · ‎02-07-2020

So if I am on my office network and go to our website the link is not going to work. So I need to access it by using the local IP 10.0.0.3? I thought maybe if I had a rule in place, I would still be able to access it directly from our website. The reason being, all my users do not know the local IP 10.0.0.3, they would just go to our website and click the link. Any workaround for this?

Rob Ingram · ‎02-07-2020

Create a FQDN that when inside the network resolves to the private IP address, and when outside the network resolves to the nat IP address. I suggest getting a valid public signed certificate for the site aswell.

wynneitmgr · ‎02-07-2020

Where do I create the FQDN? Is that under Access or NAT Rules?

Rob Ingram · ‎02-07-2020

Sorry, I was referring to creating a DNS entry on your local DNS server which resolves to the private IP address and another entry with your external DNS provider resolving to the NAT ip address.