Re: Traffic on port 80 not coming in?

phoeneous · ‎09-28-2006

We have an external address X.X.X.244 that gets nat'd to an internal device 192.168.1.6. Traffic on port 80 is not coming in. Im no Cisco guru but I think there is a problem with one of the ACL's. Any help is appreciated.

description Servers

encapsulation dot1Q 11

ip address 10.10.11.1 255.255.255.0

ip nat inside

ip inspect STUFF in

ip virtual-reassembly

no snmp trap link-status

!

interface GigabitEthernet0/1

ip address X.X.X.242 255.255.255.248

ip access-group 199 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map STUFFMAP

!

interface Serial0/0/0:23

no ip address

isdn switch-type primary-5ess

isdn incoming-voice voice

isdn bind-l3 ccm-manager

no cdp enable

!

interface Serial0/0/1:0

description ***T1 to Sub-Office***

ip unnumbered GigabitEthernet0/0.1

ip nat inside

ip inspect STUFF in

ip virtual-reassembly

service-policy output voicepriority

!

router eigrp 100

network 1.1.0.0 0.0.255.255

network 10.10.0.0 0.0.255.255

network 192.168.0.0 0.0.255.255

auto-summary

!

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 100 deny ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 100 deny ip 10.10.20.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 100 deny ip 10.10.11.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 100 permit ip 10.10.11.0 0.0.0.255 any

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 101 permit ip 10.10.20.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 101 permit ip 10.10.11.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 150 deny ip host 192.168.1.9 192.168.1.0 0.0.0.255

access-list 150 deny ip host 192.168.1.9 192.168.2.0 0.0.0.255

access-list 150 deny ip host 192.168.1.9 192.168.50.0 0.0.0.255

access-list 150 permit ip host 192.168.1.9 any

access-list 160 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255

access-list 170 permit tcp host 192.168.1.6 any eq smtp

access-list 170 permit udp host 192.168.1.6 any eq domain

access-list 170 permit tcp host 192.168.1.6 any eq domain

access-list 170 permit tcp host 192.168.1.6 any eq 443

access-list 170 permit tcp host 192.168.1.6 any eq www

access-list 170 permit udp host 192.168.1.6 any eq ntp

access-list 170 deny ip host 192.168.1.6 any

access-list 170 permit ip any any

access-list 199 permit tcp any host X.X.X.243 eq smtp

access-list 199 permit esp any any

access-list 199 permit udp any any eq isakmp

access-list 199 permit udp any any eq non500-isakmp

access-list 199 permit tcp any host X.X.X.243 eq pop3

access-list 199 permit tcp any host X.X.X.243 eq www

access-list 199 permit tcp any host X.X.X.243 eq 443

access-list 199 permit tcp any host X.X.X.242 eq telnet

access-list 199 permit tcp any host X.X.X.244 eq 22

access-list 199 permit tcp any host X.X.X.244 eq www

access-list 199 permit tcp any host X.X.X.244 eq 443

access-list 199 permit icmp any X.X.X.240 0.0.0.7 echo-reply

access-list 199 permit icmp any X.X.X.240 0.0.0.7 traceroute

access-list 199 permit icmp any X.X.X.240 0.0.0.7 time-exceeded

access-list 199 permit icmp any X.X.X.240 0.0.0.7 unreachable

access-list 199 permit tcp any any eq 10000

access-list 199 permit ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 199 permit ip 192.168.50.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 199 permit ip 192.168.50.0 0.0.0.255 10.10.11.0 0.0.0.255

dgahm · ‎09-28-2006

The first thing to do is add this line to your access list. You will then be able to see what packets are being dropped.

access-list 199 deny ip any any log

The most common mistake is reversing the source and destination ports. If the .244 is the server side your access list is correct for an inbound access list:

access-list 199 permit tcp any host X.X.X.244 eq www

If .244 is the client side you need this:

access-list 199 permit tcp any eq www host X.X.X.244

Please rate helpful posts