 
					
				
		
07-18-2011 07:36 AM - edited 03-04-2019 01:01 PM
Can anyone help please ?
I need my web server to be accessable and i have used >>>
ip nat inside source static tcp 80 interface fa0/0 80 but the packets are still being blocked by the access-list maybe ?
%SEC-6-IPACCESSLOGP: list 101 denied tcp 119.63.196.89(34388) -> 81.***.***.***(80)
First off .. is it safe to post your security / access list on here ?
Many thanks guys

 
					
				
		
07-18-2011 07:45 AM
Hello Garry,
A Firewall requires 3 things to function properly-
1-Access-list to permit specific IP/ports
2-NAT translations &
3-Policy
For your scenario better if you can mention with fictitious IP addresses & if possible the traffic flow.
07-18-2011 08:00 AM
Hi there and thanks for your reply,
please find my sh startup-config ..
Phish#sh startup-config
Using 2656 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Phish
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$mUiL$Wp/m0Ciaigy4nQA77SeI0.
enable password ******
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool insudeDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description WAN$FW_OUTSIDE$
mac-address 0012.1742.1fe9
ip address dhcp
ip access-group 101 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
no mop enabled
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password ******
login
---------------------------------------------------------------------------------
------------------------------------------------------------------------------------
Jul 18 15:14:33.803: %SEC-6-IPACCESSLOGP: list 101 denied tcp 74.125.230.156(80) -> 81.***.***.***(50117), 1 packet
*Jul 18 15:14:40.903: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50146), 1 packet
*Jul 18 15:14:43.515: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.85.143.100(80) -> 81.***.***.***(50127), 1 packet
Phish>
*Jul 18 15:16:02.419: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.85.146.101(80) -> 81.***.***.***(50154), 1 packet
*Jul 18 15:16:53.435: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets
*Jul 18 15:17:42.907: %SEC-6-IPACCESSLOGP: list 101 denied tcp 119.63.196.109(47414) -> 81.***.***.***(80), 1 packet
*Jul 18 15:17:53.435: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 9 packets
*Jul 18 15:18:43.055: %SEC-6-IPACCESSLOGP: list 101 denied tcp 84.53.164.170(443) ->81.***.***.***(50344), 1 packet
*Jul 18 15:18:53.435: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 9 packets
*Jul 18 15:19:01.863: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50285), 1 packet
*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 6 packets
*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 74.125.230.156(80) -> 81.***.***.***(50117), 7 packets
*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 74.125.230.156(80) -> 81.***.***.***(50114), 8 packets
*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) ->81.***.***.***(50145), 13 packets
*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50144), 13 packets
*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50139), 13 packets
*Jul 18 15:19:53.439: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50147), 10 packets
*Jul 18 15:19:53.439: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.85.143.100(80) -> 81.***.***.***(50126), 11 packets
*Jul 18 15:19:53.439: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.34.181.60(80) -> 81.***.***.***(50130), 7 packets
*Jul 18 15:19:53.439: %SEC-6-IPACCESSLOGP: list 101 denied tcp 72.163.5.80(443) -> 81.***.***.***(50151), 9 packets
_______________________________________________________________________________________________
Thanks again for looking
07-18-2011 11:54 AM
Hi garry,
I dont see i nat translation for your web server? - you need a static translation to achive your need.
ip nat inside source static tcp "webserver" "public ip" extendable
the extendable keyword lets you map to the same inside global address mutiple times
res
Paul
 
					
				
		
07-18-2011 01:36 PM
Hi pdriver,
thanks for pointing this out ... as i said in the 1st post i used >>> ip nat inside source static 192.168.1.10 tcp 80 interface fa0/0 80 <<
it seems like it has not worked or i forgot to wr mem the darn thing ...
Is there any other advice i need whilst you are on this ??
many thanks
07-18-2011 06:04 PM
Hi Garry,
Your ACL 101 applied on your WAN is blocking web traffic from outside.
Add a permit line:
permit tcp any host w.x.y.z eq 80
w.x.y.z is your web server IP
Sent from Cisco Technical Support iPhone App
07-18-2011 08:10 PM
Hi john,
Thanks for this .. i will try it in a while when i get home as im working nights.
all the best ...
07-19-2011 12:31 AM
Hi again,
I can't get it to work ??
I have tried access-list 101 permit Tcp any host 192.168.1.10 eq 80
And tried using my external address too but nothing.
Is there something I am missing ??
Thanx again.
 
					
				
		
07-19-2011 12:35 AM
Hi,
I'm just going to try yours now....
Thanx
 
					
				
		
07-19-2011 12:48 AM
Hi
Sorry ... Not working ?
In the field where you have webserver ... is that the internal address ? And where it says public ip is my wan ip ?
If so then no go as all I get is invalid input with the marker on the first stop of my public address ?
Thanks for your time
07-19-2011 03:49 AM
Hi Garry,
Just had some few questions:
Were you provided wirh a public IP address from ISP to be used for your webserver?
Are you able to ping and telnet 80 to the webserver from the router?
Router#telnet 192.168.1.10 80 /source-interface f0/1
Check your webserver IP settings. You able to ping from websever to router?
Lastly, reviewing your config again I don't see a route going out. Kindly add:
ip route 0.0.0.0 0.0.0.0 f0/0
Sent from Cisco Technical Support iPhone App
07-19-2011 11:24 PM
Hi, sorry for delay it's been a few long nights...
I do not have a dedicated business line if that is what
You mean but I do have 10Mb bb conection that has hosted my server for 3+ years until
Upgraded my router to 1841.
I can ping anywhere internal and external I just cant use internet at all plus usin win7 I have to use serial connection over remote connection that is Working fine.
And yes ping from server to router etc
I will repost my configuration as it is not the sme now with a few thing you and driver said to try but as there is no Internet on those machines now I will have to mess to get it over to my phone to send you as I don't want to have to
Set up the old router. I will try the 000.000.000 in a min.
Thanks again. :)
 
					
				
		
07-19-2011 11:26 PM
Plus my servers are 2008R2 not that it matters I don't think.
07-19-2011 11:52 PM
Hi Garry,
Thanks for your feedback! Kindly add the following config and try again:
access-list 101 permit tcp any host 192.168.1.10 eq 80
ip nat inside source static tcp 192.168.1.10 80 f0/0 80
ip route 0.0.0.0 0.0.0.0 f0/0
Also post the telnet 80 output suggested above as well.
Sent from Cisco Technical Support iPhone App
07-20-2011 11:46 PM
hi john,
thanks again .. I have removed a line that was supposed to point to my server and i have internet back ? dont know why but im online now with it ?
Im going to try this setting im a mo and will feed back to you ..
thank you again
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide