03-27-2014 04:02 AM - edited 03-11-2019 09:00 PM
Hi guys,
As you can see in the attached file i have a web server in dmz which has a real ip of 172.168.100.1 and a public ip 192.168.200.1 (let's assume that this is a public ip address for security reasons). All necessary configuration regarding natting and access-lists is in place.
From inside i can reach the web server and vice versa
From dmz i can reach the internet the weird thing is that if i try from a different internet line to ping 192.168.200.1 (web server's public ip) i can ping it without a problem but when i try to reach the web server via a browser i am receiving the timeout error.
If i change my access list entry "access-list OUTSIDE-IN extended permit tcp any host 192.168.200.1 eq 80" to the below
"access-list OUTSIDE-IN extended permit ip any any"
I am able to access the web server.
i've checked the real time log viewer and when i am using the "access-list OUTSIDE-IN extended permit tcp any host 192.168.200.1 eq 80" i receive a deny tcp src outside ...by access-group OUTSIDE-IN.
What do you believe it's blocking the connection?
Best Regards
Stelios
03-27-2014 07:21 AM
Stelios
From the looks of your static statement you are running 8.3 or later code.
So in your acl you need to use the private IP of the server and not the the public IP.
Jon
03-28-2014 03:14 AM
Thanks a lot Jon, for assisted me solve this problem.
The weird thing that i can't undestand, is that the icmp was working without a problem using the above mentioned access-list however accesing the web server using www wasn't working.
How you explain that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide