06-30-2010 06:05 PM - edited 03-11-2019 11:05 AM
Hi,
I currently have a Static Nat for example ( web1-internal ) to ( web1-external ) - see Static Nat below !!!
Which allows external hosts to connect on a public address and then get translated to the internal address host !!
What l want to do now is permit http traffic from this internal host to outside but for some reason it is not working !!
I have tried adding a nat exempt rule using the inside host translated on the outbound interface with no luck
And also adding a access-list to the inside interface off :
access-list inbound_inside permit tcp host web1 any eq www
The current Static Nat rule is :
static (inside,outside) web1-xlate web1 netmask 255.255.255.255 tcp 1000 500
Example IP Addresses
web1 : 172.16.34.208
web1-xlate : 203.14.59.50
Let me know if you need more info or config !!!
Thanks Simon
Solved! Go to Solution.
06-30-2010 07:10 PM
The internal 172.16.34.208 can't get out to the Internet?
But you said is reachable from the Internet correct?
Is there an ACL applied to the inside interface? You can check with ''sh run access-group''
The other machines on the inside interface have Internet access as well?
Federico.
06-30-2010 06:42 PM
Simon,
The static NAT that you mention is bidirectional.
This means that it will work for allowing inbound traffic to the public IP and outbound traffic from the server.
To allow outbound traffic nothing needs to be done because it is permitted by default.
(if you already have an ACL applied to the inside interface, then the traffic should be specified to be permitted).
To allow inbound traffic, you should explicitly allow the traffic in the ACL applied to the outside interface.
Federico.
06-30-2010 07:04 PM
Hi Federico,
I already have a acl on the outside interface :
access-list inbound_outside permit tcp any host web1-xlate eq www
This rule works fine !!
but going the other way with initiating the connection from the internal web1 ( 172.16.34.208 ) to the outside doesn't work.
E.g l want to http to outside from web1 internally but it doesn't work ???
Any more suggestions !!
Thanks for your prompt reply - much appreciated !!
SG
06-30-2010 07:10 PM
The internal 172.16.34.208 can't get out to the Internet?
But you said is reachable from the Internet correct?
Is there an ACL applied to the inside interface? You can check with ''sh run access-group''
The other machines on the inside interface have Internet access as well?
Federico.
06-30-2010 07:19 PM
Hi Federico,
all sorted now , for some reason the guys that setup this internal server forgot to put the DNS Server in the IP addressing !!!
Http traffic from this internal server is now Fine !!!
thank you so much for your time Much appreciated
SG
06-30-2010 07:21 PM
Glad to hear that :-)
Thank you,
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide