cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
985
Views
3
Helpful
10
Replies

publish web site

jaimewalker
Level 1
Level 1

hi,

I am trying to publish a web site on 80.2.100.85/80 and access it from 78.109.177.183. when I try to access the server on port 80, I get the following log message: Deny tcp src WAN:78.109.177.183/64679 dst PRG_LAN:80.2.100.85/80 by access-group "PRG_WAN_access_in" but the config looks right to me. can anybody help?

config below:

global (WAN) 2 80.2.100.75-80.2.100.87 netmask 255.255.255.0

global (WAN) 1 interface

static (PRG_LAN,WAN) tcp 80.2.100.85 www 192.168.123.34 www netmask 255.255.255.255

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.74 eq ssh

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.84 eq www

access-list PRG_WAN_access_in extended permit tcp any host 82.2.100.85 eq www

access-group PRG_WAN_access_in in interface WAN

10 Replies 10

andrew.prince
Level 10
Level 10

issue on the cli "clear xlate" and try again, also put a line at the bottom of the acl:-

access-list PRG_WAN_access_in extended deny ip any any log

then check your logs.

HTH>

hi,

unfortunatly clear xlate didn't help

and the log information is not showing me anything else.

post the output from:-

show xlate

show access-list

attachment added with output

OK - my ovbservations:-

1) you did get a hit for the http acl for the web server - check your server is actaully listening on tcp port 80

2) You are getting alog of denies - are you trying to access the website via DNS or direct IP

3) Is by DNS check the IP address the url is resolving to is the same as the acl & static nat

4) Try changing the PAT to a NAT:-

remove

static (PRG_LAN,WAN) tcp 80.2.100.85 www 192.168.123.34 www netmask 255.255.255.255

replace

static (PRG_LAN,WAN) 80.2.100.85 192.168.123.34 netmask 255.255.255.255

And re-test.

hi,

I can successfully telnet 192.168.123.34 80 so I believe the server is listening on port 80

My test is to telnet 80.2.100.85 80 rather than use DNS

I have done a NAT translation as advised but still no look

Where are you testing from, the inside or the outside?

Check your NAT/ACL again

I have tested it from inside and 2 x outside locations but still no luck. I will check the NAT/ACL again.

Thanks for your help

wood for the trees....

the problem was a typo in the ACL. I was putting 82 instead of 80 in the first octet.

sorry

np - glad to help.

Review Cisco Networking for a $25 gift card