Showing results for 
Search instead for 
Did you mean: 

ACL to Publish my internal website help - please?


Hi Everyone,


I have scoured the web and have nearly mirrored the setup as outlined here:


While following the guidelines for CISCO NAT rules.


NAT works as expected except I am hung up on the ACL Rules, and I have been now for the last week.


Here is what I have created:


I turned the default access rule to allow and then created the last rule to Block all traffic.

If I turn off the "Block all Traffic" Then NAT works as expected and everyone from the outside world can access my internal webserver. by the IP specified.


What do I need to do with my ACL list to allow my "WebserverPublic" to correctly work?


1 Accepted Solution

Accepted Solutions

Remove the source port of HTTP

View solution in original post

5 Replies 5

Rob Ingram
VIP Master VIP Master
VIP Master
Are you expecting the traffic to hit rule #1 - InternalServer1?

Amend your rule, the source should be "any" and the destination would be "WebServerPrivate", as you always specify the real IP address in the ACL not the public IP address.


Thank you for the advice RJI,


I did as you suggested and edited the rule as shown.


The trace comes back as follows.


However, unless I switch the default access control to allow, this does not work.EditedCapture.PNG

Remove the source port of HTTP

I had this working until I added an IPSEC tunnel.


Now Outbound binding an IP address to the server works but inbound External IP to the inbound server fails.


Show nat has this:



show nat 
Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static |s2sAclSrcNwgV4|09582272-4783-11ea-9fed-71eba22fa0ae |s2sAclSrcNwgV4|09582272-4783-11e
a-9fed-71eba22fa0ae  destination static |s2sAclDestNwgV4|09582272-4783-11ea-9fed-71eba22fa0ae |s2sAclDestNwgV4|09582272-4
783-11ea-9fed-71eba22fa0ae no-proxy-arp route-lookup
    translate_hits = 280, untranslate_hits = 280
2 (inside) to (outside) source dynamic WebServerPrivate WebServerPublic 
    translate_hits = 47, untranslate_hits = 0
3 (inside) to (outside) source dynamic any-ipv4 interface 
    translate_hits = 26, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static WebServerPrivate WebServerPublic  service tcp www www 
    translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface  service tcp https https 
    translate_hits = 0, untranslate_hits = 288
3 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface 
    translate_hits = 1134, untranslate_hits = 0
4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface 
    translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (internal-devnet) source dynamic nlp_client_0_intf4 interface 
    translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (dmz) source dynamic nlp_client_0_intf5 interface 
    translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf6 interface 
    translate_hits = 0, untranslate_hits = 0
8 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
9 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
10 (nlp_int_tap) to (internal-devnet) source dynamic nlp_client_0_ipv6_intf4 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
11 (nlp_int_tap) to (dmz) source dynamic nlp_client_0_ipv6_intf5 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
12 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf6 interface ipv6 
    translate_hits = 0, untranslate_hits = 0cisco-failed-inbound-nat.PNGSimple-Nat-Rules.PNG


Remove your first nat rule (it's not needed if you have rule #3) and move the 2nd nat rule to Manual NAT (Section 3) - ensure your WebServer rules is above your dynamic nat rule.

If that doesn't work run packet-tracer from the CLI and provide the output. e.g "packet-tracer input outside tcp 3000 <your public ip> 80"
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers