Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2061
Views
0
Helpful
16
Replies

outside access

Go to solution
Liam Dwyer
Level 1
Level 1

‎12-04-2013 12:50 PM - edited ‎03-11-2019 08:12 PM

Hello,

I am having a beat my head against the wall moment.  Trying to put in a access-list statement for an external IP to a DMZ ip address allowing only 80 and 443.  this is the statement -

access-list outside_access_in line 4 extended permit tcp host 12.133.197.99 eq www host 192.168.1.11 eq www

here is the packet-tracer output....

Obviously getting dropped but where?!?!?!

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.0   dmz1

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz1

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
16 Replies 16

Go to solution
Liam Dwyer
Level 1
Level 1
In response to Liam Dwyer

‎12-05-2013 07:51 AM

WOW! holy long drive for a short putt!

I am sorry that took so long.  And I thank you for bearing with my ignorance.

I did have the nat in there as of last night but I was using the tcp www https instead of the seperate nats.

thank you again!!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Liam Dwyer

‎12-05-2013 07:58 AM

Great to hear its working.

Just to add a bit. The NAT we configured is a Static PAT that is generally used when you only have a few public IP addresses to spare OR even just the public IP address configured on the external interface of the ASA.

It seems to me that you have quite a bit of public IP address available judging by your above configurations.

So it might even be possible that you configure a single Static NAT for the DMZ server 192.168.1.11 to the IP address x.x.197.99.

In that case you would only need to allow the traffic for the ports you need and would not have to worry about separate NAT configurations for ports

If you were to go with Static NAT you could remove the 2 Static PAT configurations and instead configure

object network SERVER

host 192.168.1.11

nat (dmz1,outside) static x.x.197.99

I leave it up to you to choose which one you prefer. If possible I personally prefer doing Static NAT if I can spare the public IP addresses. Keeps the NAT setup more simple.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card