Hi *,
I've a little problem with my 890SFP Router, which is configured behind a Virtual DMZ.
The 192.168.178.0/24 network is the DMZ and the 192.168.0.0/24 is my network with all my devices.
The router has NAT and the inside interface is 192.168.0.1, the outside interface ist 192.168.178.253 (the other Router in the DMZ has .254).
I added (with Cisco Configuration Professional) a static NAT Rule with Original address 192.168.0.201:80 (my Webserver which needs to be accessable from outside) and translated address 192.168.178.253:8080.
When I open a Websession from outside and call the address http://my.real.outside.ip:8080 I get the HTTP Error 504.
Where can be the problem?
Solved! Go to Solution.
Hi,
can you do this:
enable
config t
ip inspect log drop-pkt
logging con 6
ip access-list extended autosec_firewall_acl
5 permit tcp any host 192.168.178.253 eq 8080
Regards.
Alain
Don't forget to rate helpful posts.
Hi,
try to add this
ip access-list extended autosec_firewall_acl
remark CCP_ACL Category=17
permit udp any host 192.168.178.253 eq non500-isakmp
permit udp any host 192.168.178.253 eq isakmp
permit esp any host 192.168.178.253
permit ahp any host 192.168.178.253
permit tcp any host 192.168.178.253 eq 8080
Hope it will help.
Hi,
First of all you need Public IP address on your router to be accessible from outisde. Then you need to do a static NAT to forward to server. HTTP 504 means client send a request for connection but response never came back.
Hope it will help.
Hi,
the whole traffic from my real public IP Address is redirected to the IP Address 192.168.178.253 (Interface Gi9) without being filtered. I then added the NAT Rule:
ip nat inside source static tcp 192.168.0.201 80 interface Gi9 8080
BTW I used the auto-secure command at initial configuration of the router. So I have the acl autosec_firewall_acl activated on my router.
Is this only a NAT problem or can it be a wrong ACL from the firewall?
Hi,
Can you post your router's config. And network topology. Because it is still unclear.
Sent from Cisco Technical Support iPhone App
Hi,
this is the running config:
-Removed-
And this is my topology:
Hi,
can you do this:
enable
config t
ip inspect log drop-pkt
logging con 6
ip access-list extended autosec_firewall_acl
5 permit tcp any host 192.168.178.253 eq 8080
Regards.
Alain
Don't forget to rate helpful posts.
Hi,
try to add this
ip access-list extended autosec_firewall_acl
remark CCP_ACL Category=17
permit udp any host 192.168.178.253 eq non500-isakmp
permit udp any host 192.168.178.253 eq isakmp
permit esp any host 192.168.178.253
permit ahp any host 192.168.178.253
permit tcp any host 192.168.178.253 eq 8080
Hope it will help.
Yessss, it works. Thank you very much guys.
I'm glad we helped you!
Sent from Cisco Technical Support iPhone App