Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
984
Views
3
Helpful
10
Replies

publish web site

jaimewalker
Level 1
Level 1

‎08-18-2009 01:56 AM - edited ‎03-11-2019 09:06 AM

hi,

I am trying to publish a web site on 80.2.100.85/80 and access it from 78.109.177.183. when I try to access the server on port 80, I get the following log message: Deny tcp src WAN:78.109.177.183/64679 dst PRG_LAN:80.2.100.85/80 by access-group "PRG_WAN_access_in" but the config looks right to me. can anybody help?

config below:

global (WAN) 2 80.2.100.75-80.2.100.87 netmask 255.255.255.0

global (WAN) 1 interface

static (PRG_LAN,WAN) tcp 80.2.100.85 www 192.168.123.34 www netmask 255.255.255.255

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.74 eq ssh

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.84 eq www

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.85 eq www

access-group PRG_WAN_access_in in interface WAN

Labels:
0 Helpful
10 Replies 10

andrew.prince
Level 10
Level 10

‎08-18-2009 02:18 AM

issue on the cli "clear xlate" and try again, also put a line at the bottom of the acl:-

access-list PRG_WAN_access_in extended deny ip any any log

then check your logs.

HTH>

0 Helpful

jaimewalker
Level 1
Level 1
In response to andrew.prince

‎08-18-2009 03:08 AM

hi,

unfortunatly clear xlate didn't help

and the log information is not showing me anything else.

0 Helpful

andrew.prince
Level 10
Level 10
In response to jaimewalker

‎08-18-2009 03:08 AM

post the output from:-

show xlate

show access-list

0 Helpful

jaimewalker
Level 1
Level 1
In response to andrew.prince

‎08-18-2009 03:16 AM

attachment added with output

Preview file
25 KB
0 Helpful

andrew.prince
Level 10
Level 10
In response to jaimewalker

‎08-18-2009 03:19 AM

OK - my ovbservations:-

1) you did get a hit for the http acl for the web server - check your server is actaully listening on tcp port 80

2) You are getting alog of denies - are you trying to access the website via DNS or direct IP

3) Is by DNS check the IP address the url is resolving to is the same as the acl & static nat

4) Try changing the PAT to a NAT:-

remove

static (PRG_LAN,WAN) tcp 80.2.100.85 www 192.168.123.34 www netmask 255.255.255.255

replace

static (PRG_LAN,WAN) 80.2.100.85 192.168.123.34 netmask 255.255.255.255

And re-test.

0 Helpful

jaimewalker
Level 1
Level 1
In response to andrew.prince

‎08-18-2009 03:30 AM

hi,

I can successfully telnet 192.168.123.34 80 so I believe the server is listening on port 80

My test is to telnet 80.2.100.85 80 rather than use DNS

I have done a NAT translation as advised but still no look

Preview file
26 KB
0 Helpful

andrew.prince
Level 10
Level 10
In response to jaimewalker

‎08-18-2009 03:50 AM

Where are you testing from, the inside or the outside?

Check your NAT/ACL again

jaimewalker
Level 1
Level 1
In response to andrew.prince

‎08-18-2009 03:59 AM

I have tested it from inside and 2 x outside locations but still no luck. I will check the NAT/ACL again.

Thanks for your help

0 Helpful

jaimewalker
Level 1
Level 1
In response to jaimewalker

‎08-18-2009 11:44 PM

wood for the trees....

the problem was a typo in the ACL. I was putting 82 instead of 80 in the first octet.

sorry

0 Helpful

andrew.prince
Level 10
Level 10
In response to jaimewalker

‎08-19-2009 12:42 AM

np - glad to help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card