Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
0
Helpful
1
Replies

Cant Get to Website!!

mgarcia07
Level 1
Level 1

‎11-25-2013 10:44 AM - edited ‎03-04-2019 09:40 PM

OK..

have a website which resides in 10.10.102.2

I can access it from the internal network. Yet from the WAN I cannot. Now the interesting part is that the routers on the WAN connection can succesfully ping that address.

The address it is trying to be accessed from is 10.10.10.3

I have added the following to the WAN router right under the standard ACL:

100 permit ip any host 10.10.102.2

110 permit tcp any host 10.10.102.2 eq www

120 permit tcp host 10.10.10.3 eq www host 10.10.102.2 eq www

130 permit tcp host 10.10.102.2 eq www host 10.10.10.3 eq www

140 permit tcp any host 10.10.10.3

150 permit tcp any any (3 matches)

It does go through a tunnel where the tunnel address is 192.168.122.101

this tunnen end at our internal side router and on that router we have:

Extended IP access list 101

10 permit tcp host 192.168.122.101 host 10.10.102.2 eq www

20 permit ip 10.10.10.0 0.0.0.255 host 10.10.102.2

30 permit tcp any host 10.10.102.2 eq www

40 permit tcp any host 10.10.10.3 eq www

50 permit ip any any

yet nothing.. ANY HELP WOULD BE GREAT!

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎11-25-2013 11:36 AM

I am having some difficulty in understanding the relationships. Perhaps some type of diagram would be helpful. And some more config details would be helpful as well.

Based on your comment about a tunnel I will make a guess that the problem you face may be related to MTU. When you have tunnels they encapsulate the traffic and the result is a packet that is longer than what the originating host sent. If the host sends a frame that is already 1500 and the router adds some bytes for encapsulation then the result is a frame that is too big and requires fragmentation, which may be a problem. So I would suggest configuring ip tcp adjust-mss on routers on both ends of the tunnel.

If that does not help then please supply some additional detail.

I will also point out that if you configure this

permit ip any host 10.10.102.2

that it makes these lines that follow it redundant. They will never get a match

permit tcp any host 10.10.102.2 eq www

permit tcp host 10.10.10.3 eq www host 10.10.102.2 eq www

permit tcp host 10.10.102.2 eq www host 10.10.10.3 eq www

it is also problematic to specify eq www on both the source port and the destination port.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card