01-20-2013 11:45 AM - edited 03-11-2019 05:49 PM
Everything works fine internally, but I have a website on the 10.0.0.52 server with the external IP of 216.140.140.4. When I tried to access It from the internet It doesn't work. Please does anyone have any ideas on what might be the issue here? Though If I use the IP 216.140.140.4 i can access the website, even though I suspected it is a DNS issue, so I opened the Dns ports 53 for the 10.0.0.1 server still didnt work. It is an issue with the router because as soon as i replace with the proprietory firewall it works fine.
I also want to point out that below is the configuration from my outside zone to the inside zone which i configured to allow only ports that i want accessed from outside since the website uses the http port which is opened and the dns server 10.0.0.1 needs port 53 i opened it also but did not make any difference, , but I used CCP to configure my inside to outside zone which is supposed to allow all traffic from inside to outside.
Please would appreciate your advice.
ip name server 10.0.0.1
Zone security out-zone
zone security in-zone
zone security teleworker
interface gi0/1
Zone-member security out-zone
interface gi0/0
zone-member security in-zone
interface gi0/2
zone-member security teleworker
exit
ip port-map user-RDP port tcp 3389
zone-pair security OUT-IN source out-zone destination in-zone
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
ip access-list extended OUTSIDE-TO-INSIDE-WEB
permit tcp any host 10.0.0.23 eq 80
permit tcp any host 10.0.0.59 eq 80
permit tcp any host 10.0.0.61 eq 80
permit tcp any host 10.0.0.228 eq 80
permit tcp any host 10.0.0.16 eq 80
permit tcp any host 10.0.0.30 eq 80
class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
match protocol http
match access-group name OUTSIDE-TO-INSIDE-WEB
ip access-list extended OUTSIDE-TO-INSIDE-FTP
permit tcp any host 10.0.0.52 eq 20:21
permit tcp any host 10.0.0.23 eq 20:21
permit tcp any host 10.0.0.59 eq 20:21
permit tcp any host 10.0.0.61 eq 20:21
permit tcp any host 10.0.0.228 eq 20:21
class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
match protocol ftp
match access-group name OUTSIDE-TO-INSIDE-FTP
ip access-list extended OUTSIDE-TO-INSIDE-SMTP
permit tcp any host 10.0.0.52 eq 25
permit tcp any host 10.0.0.23 eq 25
permit tcp any host 10.0.0.59 eq 25
permit tcp any host 10.0.0.61 eq 25
permit tcp any host 10.0.0.228 eq 25
class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
match protocol smtp
match access-group name OUTSIDE-TO-INSIDE-SMTP
ip access-list extended OUTSIDE-TO-INSIDE-DNS
permit tcp any host 10.0.0.23 eq 53
permit udp any host 10.0.0.23 eq 53
permit tcp any host 10.0.0.59 eq 53
permit udp any host 10.0.0.59 eq 53
permit tcp any host 10.0.0.61 eq 53
permit udp any host 10.0.0.61 eq 53
permit tcp any host 10.0.0.228 eq 53
permit udp any host 10.0.0.228 eq 53
permit tcp any host 10.0.0.1 eq 53
permit udp any host 10.0.0.1 eq 53
class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
match protocol dns
match access-group name OUTSIDE-TO-INSIDE-DNS
ip access-list extended OUTSIDE-TO-INSIDE-POP
permit tcp any host 10.0.0.52 eq 110
permit tcp any host 10.0.0.23 eq 110
permit tcp any host 10.0.0.59 eq 110
permit tcp any host 10.0.0.61 eq 110
permit tcp any host 10.0.0.228 eq 110
class-map type inspect match-all OUTSIDE-TO-INSIDE-POP-CLASS
match protocol pop
match access-group name OUTSIDE-TO-INSIDE-POP
ip access-list extended OUTSIDE-TO-INSIDE-IMAP
permit tcp any host 10.0.0.52 eq 143
permit tcp any host 10.0.0.23 eq 143
permit tcp any host 10.0.0.59 eq 143
permit tcp any host 10.0.0.61 eq 143
permit tcp any host 10.0.0.228 eq 143
class-map type inspect match-all OUTSIDE-TO-INSIDE-IMAP-CLASS
match protocol imap
match access-group name OUTSIDE-TO-INSIDE-IMAP
ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.59 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.228 eq 443
class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
match protocol https
match access-group name OUTSIDE-TO-INSIDE-HTTPS
ip access-list extended OUTSIDE-TO-INSIDE-RDP
permit tcp any host 10.0.0.52 eq 3389
permit tcp any host 10.0.0.23 eq 3389
permit tcp any host 10.0.0.59 eq 3389
permit tcp any host 10.0.0.61 eq 3389
permit tcp any host 10.0.0.228 eq 3389
permit tcp any host 10.0.0.58 eq 3389
permit tcp any host 10.0.0.33 eq 3389
permit tcp any host 10.0.0.25 eq 3389
permit tcp any host 10.0.0.44 eq 3389
permit tcp any host 10.0.0.251 eq 3389
permit tcp any host 10.0.0.21 eq 3389
permit tcp any host 10.0.0.22 eq 3389
ermit tcp any host 10.0.0.24 eq 3389
permit tcp any host 10.0.0.30 eq 3389
permit tcp any host 10.0.0.230 eq 3389
class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
match protocol user-RDP
match access-group name OUTSIDE-TO-INSIDE-RDP
ip access-list extended TELEWORKER-TO-OUTSIDE
permit ip 10.0.3.254 any
class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
match access-group name TELEWORKER-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-TELEWORKER
permit ip any host 10.0.3.254
class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
match access-group name OUTSIDE-TO-TELEWORKER
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-POP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-IMAP-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
inspect
class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
inspect
policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
class type inspect TELEWORKER-TO-OUTSIDE-CLASS
inspect
policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
class type inspect OUTSIDE-TO-TELEWORKER-CLASS
inspect
zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY
zone-pair security TELEWORKER-OUT source teleworker destination out-zone
service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY
01-20-2013 12:31 PM
Just out of interest, have you enabled and checked your nat configuration that a static nat translation exists for your server?
Sent from Cisco Technical Support iPhone App