cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4217
Views
0
Helpful
24
Replies

Possible firewall / acl issue ?

mcbosher71
Level 1
Level 1

Can anyone help please ?

I need my web server to be accessable and i have used >>>

ip nat inside source static tcp 80 interface fa0/0 80 but the packets are still being blocked by the access-list maybe ?

%SEC-6-IPACCESSLOGP: list 101 denied tcp 119.63.196.89(34388) -> 81.***.***.***(80)

First off .. is it safe to post your security / access list on here ?

Many thanks guys

24 Replies 24

CiscoIsInYou
Level 1
Level 1

Hello Garry,

A Firewall requires 3 things to function properly-

1-Access-list to permit specific IP/ports

2-NAT translations &

3-Policy

For your scenario better if you can mention with fictitious IP addresses & if possible the traffic flow.

Hi there and thanks for your reply,

please find my sh startup-config ..

Phish#sh startup-config

Using 2656 out of 196600 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Phish

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$mUiL$Wp/m0Ciaigy4nQA77SeI0.

enable password ******

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.30

!

ip dhcp pool insudeDHCP

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

!

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

!

!

!

!

!

!

!

interface FastEthernet0/0

description WAN$FW_OUTSIDE$

mac-address 0012.1742.1fe9

ip address dhcp

ip access-group 101 in

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

speed auto

full-duplex

no mop enabled

!

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip any any log

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

password ******

login

---------------------------------------------------------------------------------

------------------------------------------------------------------------------------

Jul 18 15:14:33.803: %SEC-6-IPACCESSLOGP: list 101 denied tcp 74.125.230.156(80) -> 81.***.***.***(50117), 1 packet

*Jul 18 15:14:40.903: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50146), 1 packet

*Jul 18 15:14:43.515: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.85.143.100(80) -> 81.***.***.***(50127), 1 packet

Phish>

*Jul 18 15:16:02.419: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.85.146.101(80) -> 81.***.***.***(50154), 1 packet

*Jul 18 15:16:53.435: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets

*Jul 18 15:17:42.907: %SEC-6-IPACCESSLOGP: list 101 denied tcp 119.63.196.109(47414) -> 81.***.***.***(80), 1 packet

*Jul 18 15:17:53.435: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 9 packets

*Jul 18 15:18:43.055: %SEC-6-IPACCESSLOGP: list 101 denied tcp 84.53.164.170(443) ->81.***.***.***(50344), 1 packet

*Jul 18 15:18:53.435: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 9 packets

*Jul 18 15:19:01.863: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50285), 1 packet

*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 6 packets

*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 74.125.230.156(80) -> 81.***.***.***(50117), 7 packets

*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 74.125.230.156(80) -> 81.***.***.***(50114), 8 packets

*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) ->81.***.***.***(50145), 13 packets

*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50144), 13 packets

*Jul 18 15:19:53.435: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50139), 13 packets

*Jul 18 15:19:53.439: %SEC-6-IPACCESSLOGP: list 101 denied tcp 2.16.62.176(443) -> 81.***.***.***(50147), 10 packets

*Jul 18 15:19:53.439: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.85.143.100(80) -> 81.***.***.***(50126), 11 packets

*Jul 18 15:19:53.439: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.34.181.60(80) -> 81.***.***.***(50130), 7 packets

*Jul 18 15:19:53.439: %SEC-6-IPACCESSLOGP: list 101 denied tcp 72.163.5.80(443) -> 81.***.***.***(50151), 9 packets

_______________________________________________________________________________________________

Thanks again for looking

Hi garry,

I dont see i nat translation for your web server?  - you need a static translation  to achive your need.

ip nat inside source static tcp "webserver" "public ip" extendable

the extendable  keyword lets you map to the same inside global address mutiple times

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi pdriver,

thanks for pointing this out ... as i said in the 1st post i used >>> ip nat inside source static 192.168.1.10 tcp 80 interface fa0/0 80 <<

it seems like it has not worked or i forgot to wr mem the darn thing ...

Is there any other advice i need whilst you are on this ??

many thanks

Hi Garry,

Your ACL 101 applied on your WAN is blocking web traffic from outside.

Add a permit line:

permit tcp any host w.x.y.z eq 80

w.x.y.z is your web server IP

Sent from Cisco Technical Support iPhone App

Hi john,

Thanks for this .. i will try it in a while when i get home as im working nights.

all the best ...

Hi again,

I can't get it to work ??

I have tried access-list 101 permit Tcp any host 192.168.1.10 eq 80

And tried using my external address too but nothing.

Is there something I am missing ??

Thanx again.

Hi,

I'm just going to try yours now....

Thanx

Hi

Sorry ... Not working ?

In the field where you have webserver ... is that the internal address ? And where it says public ip is my wan ip ?

If so then no go as all I get is invalid input with the marker on the first stop of my public address ?

Thanks for your time

Hi Garry,

Just had some few questions:

Were you provided wirh a public IP address from ISP to be used for your webserver?

Are you able to ping and telnet 80 to the webserver from the router?

Router#telnet 192.168.1.10 80 /source-interface f0/1

Check your webserver IP settings. You able to ping from websever to router?

Lastly, reviewing your config again I don't see a route going out. Kindly add:

ip route 0.0.0.0 0.0.0.0 f0/0

Sent from Cisco Technical Support iPhone App

Hi, sorry for delay it's been a few long nights...

I do not have a dedicated business line if that is what

You mean but I do have 10Mb bb conection that has hosted my server for 3+ years until

Upgraded my router to 1841.

I can ping anywhere internal and external I just cant use internet at all plus usin win7 I have to use serial connection over remote connection that is Working fine.

And yes ping from server to router etc

I will repost my configuration as it is not the sme now with a few thing you and driver said to try but as there is no Internet on those machines now I will have to mess to get it over to my phone to send you as I don't want to have to

Set up the old router. I will try the 000.000.000 in a min.

Thanks again. :)

Plus my servers are 2008R2 not that it matters I don't think.

Hi Garry,

Thanks for your feedback! Kindly add the following config and try again:

access-list 101 permit tcp any host 192.168.1.10 eq 80

ip nat inside source static tcp 192.168.1.10 80 f0/0 80

ip route 0.0.0.0 0.0.0.0 f0/0

Also post the telnet 80 output suggested above as well.

Sent from Cisco Technical Support iPhone App

hi john,

thanks again .. I have removed a line that was supposed to point to my server and i have internet back ? dont know why but im online now with it ?

Im going to try this setting im a mo and will feed back to you ..

thank you again

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco