09-28-2006 03:39 PM - edited 03-03-2019 02:10 PM
We have an external address X.X.X.244 that gets nat'd to an internal device 192.168.1.6. Traffic on port 80 is not coming in. Im no Cisco guru but I think there is a problem with one of the ACL's. Any help is appreciated.
description Servers
encapsulation dot1Q 11
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip inspect STUFF in
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/1
ip address X.X.X.242 255.255.255.248
ip access-group 199 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map STUFFMAP
!
interface Serial0/0/0:23
no ip address
isdn switch-type primary-5ess
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
interface Serial0/0/1:0
description ***T1 to Sub-Office***
ip unnumbered GigabitEthernet0/0.1
ip nat inside
ip inspect STUFF in
ip virtual-reassembly
service-policy output voicepriority
!
router eigrp 100
network 1.1.0.0 0.0.255.255
network 10.10.0.0 0.0.255.255
network 192.168.0.0 0.0.255.255
auto-summary
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny ip 10.10.20.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 deny ip 10.10.11.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 10.10.11.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.11.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 150 deny ip host 192.168.1.9 192.168.1.0 0.0.0.255
access-list 150 deny ip host 192.168.1.9 192.168.2.0 0.0.0.255
access-list 150 deny ip host 192.168.1.9 192.168.50.0 0.0.0.255
access-list 150 permit ip host 192.168.1.9 any
access-list 160 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255
access-list 170 permit tcp host 192.168.1.6 any eq smtp
access-list 170 permit udp host 192.168.1.6 any eq domain
access-list 170 permit tcp host 192.168.1.6 any eq domain
access-list 170 permit tcp host 192.168.1.6 any eq 443
access-list 170 permit tcp host 192.168.1.6 any eq www
access-list 170 permit udp host 192.168.1.6 any eq ntp
access-list 170 deny ip host 192.168.1.6 any
access-list 170 permit ip any any
access-list 199 permit tcp any host X.X.X.243 eq smtp
access-list 199 permit esp any any
access-list 199 permit udp any any eq isakmp
access-list 199 permit udp any any eq non500-isakmp
access-list 199 permit tcp any host X.X.X.243 eq pop3
access-list 199 permit tcp any host X.X.X.243 eq www
access-list 199 permit tcp any host X.X.X.243 eq 443
access-list 199 permit tcp any host X.X.X.242 eq telnet
access-list 199 permit tcp any host X.X.X.244 eq 22
access-list 199 permit tcp any host X.X.X.244 eq www
access-list 199 permit tcp any host X.X.X.244 eq 443
access-list 199 permit icmp any X.X.X.240 0.0.0.7 echo-reply
access-list 199 permit icmp any X.X.X.240 0.0.0.7 traceroute
access-list 199 permit icmp any X.X.X.240 0.0.0.7 time-exceeded
access-list 199 permit icmp any X.X.X.240 0.0.0.7 unreachable
access-list 199 permit tcp any any eq 10000
access-list 199 permit ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.11.0 0.0.0.255
09-28-2006 04:14 PM
The first thing to do is add this line to your access list. You will then be able to see what packets are being dropped.
access-list 199 deny ip any any log
The most common mistake is reversing the source and destination ports. If the .244 is the server side your access list is correct for an inbound access list:
access-list 199 permit tcp any host X.X.X.244 eq www
If .244 is the client side you need this:
access-list 199 permit tcp any eq www host X.X.X.244
Please rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide