cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

532
Views
5
Helpful
5
Replies
Highlighted
Beginner

ACL to Publish my internal website help - please?

Hi Everyone,

 

I have scoured the web and have nearly mirrored the setup as outlined here:

https://community.cisco.com/t5/firepower/firepower-publish-internal-webserver/td-p/3672845

 

While following the guidelines for CISCO NAT rules.

 

NAT works as expected except I am hung up on the ACL Rules, and I have been now for the last week.

 

Here is what I have created:

 

I turned the default access rule to allow and then created the last rule to Block all traffic.

If I turn off the "Block all Traffic" Then NAT works as expected and everyone from the outside world can access my internal webserver. by the IP specified.

 

What do I need to do with my ACL list to allow my "WebserverPublic" to correctly work?

ACLCapture.PNGNATCapture.PNG

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: ACL to Publish my internal website help - please?

Remove the source port of HTTP

View solution in original post

5 REPLIES 5
Highlighted
VIP Advisor

Re: ACL to Publish my internal website help - please?

Hi,
Are you expecting the traffic to hit rule #1 - InternalServer1?

Amend your rule, the source should be "any" and the destination would be "WebServerPrivate", as you always specify the real IP address in the ACL not the public IP address.

HTH
Highlighted
Beginner

Re: ACL to Publish my internal website help - please?

Thank you for the advice RJI,

 

I did as you suggested and edited the rule as shown.

 

The trace comes back as follows.

 

However, unless I switch the default access control to allow, this does not work.EditedCapture.PNG

Highlighted
VIP Advisor

Re: ACL to Publish my internal website help - please?

Remove the source port of HTTP

View solution in original post

Highlighted
Beginner

Re: ACL to Publish my internal website help - please?

I had this working until I added an IPSEC tunnel.

 

Now Outbound binding an IP address to the server works but inbound External IP to the inbound server fails.

 

Show nat has this:

 

 

show nat 
Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static |s2sAclSrcNwgV4|09582272-4783-11ea-9fed-71eba22fa0ae |s2sAclSrcNwgV4|09582272-4783-11e
a-9fed-71eba22fa0ae  destination static |s2sAclDestNwgV4|09582272-4783-11ea-9fed-71eba22fa0ae |s2sAclDestNwgV4|09582272-4
783-11ea-9fed-71eba22fa0ae no-proxy-arp route-lookup
    translate_hits = 280, untranslate_hits = 280
2 (inside) to (outside) source dynamic WebServerPrivate WebServerPublic 
    translate_hits = 47, untranslate_hits = 0
3 (inside) to (outside) source dynamic any-ipv4 interface 
    translate_hits = 26, untranslate_hits = 0
 
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static WebServerPrivate WebServerPublic  service tcp www www 
    translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface  service tcp https https 
    translate_hits = 0, untranslate_hits = 288
3 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface 
    translate_hits = 1134, untranslate_hits = 0
4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface 
    translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (internal-devnet) source dynamic nlp_client_0_intf4 interface 
    translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (dmz) source dynamic nlp_client_0_intf5 interface 
    translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf6 interface 
    translate_hits = 0, untranslate_hits = 0
8 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
9 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
10 (nlp_int_tap) to (internal-devnet) source dynamic nlp_client_0_ipv6_intf4 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
11 (nlp_int_tap) to (dmz) source dynamic nlp_client_0_ipv6_intf5 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
12 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf6 interface ipv6 
    translate_hits = 0, untranslate_hits = 0cisco-failed-inbound-nat.PNGSimple-Nat-Rules.PNG

 

Highlighted
VIP Advisor

Re: ACL to Publish my internal website help - please?

Remove your first nat rule (it's not needed if you have rule #3) and move the 2nd nat rule to Manual NAT (Section 3) - ensure your WebServer rules is above your dynamic nat rule.

If that doesn't work run packet-tracer from the CLI and provide the output. e.g "packet-tracer input outside tcp 8.8.8.8 3000 <your public ip> 80"