12-23-2012 03:32 AM - edited 03-04-2019 06:29 PM
Hi *,
I've a little problem with my 890SFP Router, which is configured behind a Virtual DMZ.
The 192.168.178.0/24 network is the DMZ and the 192.168.0.0/24 is my network with all my devices.
The router has NAT and the inside interface is 192.168.0.1, the outside interface ist 192.168.178.253 (the other Router in the DMZ has .254).
I added (with Cisco Configuration Professional) a static NAT Rule with Original address 192.168.0.201:80 (my Webserver which needs to be accessable from outside) and translated address 192.168.178.253:8080.
When I open a Websession from outside and call the address http://my.real.outside.ip:8080 I get the HTTP Error 504.
Where can be the problem?
Solved! Go to Solution.
12-23-2012 07:23 AM
Hi,
can you do this:
enable
config t
ip inspect log drop-pkt
logging con 6
ip access-list extended autosec_firewall_acl
5 permit tcp any host 192.168.178.253 eq 8080
Regards.
Alain
Don't forget to rate helpful posts.
12-23-2012 07:25 AM
Hi,
try to add this
ip access-list extended autosec_firewall_acl
remark CCP_ACL Category=17
permit udp any host 192.168.178.253 eq non500-isakmp
permit udp any host 192.168.178.253 eq isakmp
permit esp any host 192.168.178.253
permit ahp any host 192.168.178.253
permit tcp any host 192.168.178.253 eq 8080
Hope it will help.
12-23-2012 06:02 AM
Hi,
First of all you need Public IP address on your router to be accessible from outisde. Then you need to do a static NAT to forward to server. HTTP 504 means client send a request for connection but response never came back.
Hope it will help.
12-23-2012 06:30 AM
Hi,
the whole traffic from my real public IP Address is redirected to the IP Address 192.168.178.253 (Interface Gi9) without being filtered. I then added the NAT Rule:
ip nat inside source static tcp 192.168.0.201 80 interface Gi9 8080
BTW I used the auto-secure command at initial configuration of the router. So I have the acl autosec_firewall_acl activated on my router.
Is this only a NAT problem or can it be a wrong ACL from the firewall?
12-23-2012 06:38 AM
Hi,
Can you post your router's config. And network topology. Because it is still unclear.
Sent from Cisco Technical Support iPhone App
12-23-2012 07:07 AM
Hi,
this is the running config:
-Removed-
And this is my topology:
12-23-2012 07:23 AM
Hi,
can you do this:
enable
config t
ip inspect log drop-pkt
logging con 6
ip access-list extended autosec_firewall_acl
5 permit tcp any host 192.168.178.253 eq 8080
Regards.
Alain
Don't forget to rate helpful posts.
12-23-2012 07:25 AM
Hi,
try to add this
ip access-list extended autosec_firewall_acl
remark CCP_ACL Category=17
permit udp any host 192.168.178.253 eq non500-isakmp
permit udp any host 192.168.178.253 eq isakmp
permit esp any host 192.168.178.253
permit ahp any host 192.168.178.253
permit tcp any host 192.168.178.253 eq 8080
Hope it will help.
12-23-2012 09:32 AM
Yessss, it works. Thank you very much guys.
12-23-2012 09:38 AM
I'm glad we helped you!
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: