Solved: Problem with Web Browser and ACL

OwlKun · ‎07-05-2025

Hello guys I just made this simple topology with 3 router, 3 switch 3 pc on 1 switch, 3 on other, and last switch with a web server (internet) and a dns server. I also activated RIP between all the routers and ACL permit on the router connected to internet and an ACL on router 0 to block ping from pc on router 0 to pc on router 1 but not viceversa. And since here all works good, but then also the ping to the web server works, but when I try to access from the internet web it doesnt work at all both with ip and DNS name, DNS and http/https services are both activate, the ACL doesnt block the port 80 as well, I dont know where is the mistake. Some help will be very useful, I link the .pkt file

Enes Simnica · ‎07-05-2025

Alright man, just wrapped up another long meeting and decided to spend a quick 3 minutes building this lab from scratch.

SO. let me walk you through everything ive built here, this topology is now fully operational and meets all ur original requirements. I started completely from scratch, redesigned the IP scheme, implemented proper routing, and configured services exactly how you needed them. Here’s the full breakdown of what we accomplished. And i used EIGRP instead of RIP (WHY? because, let it die, my friend. please just let it die Hahaha funny)

1. NEtwork Design and device setup/

I constructed a threerouter topology with each router connecting to a dedicated switch. Router1 (R1) and Router2 (R2) each have two PCs attached to their respective switches, while Router3 (R3) hosts two servers one acting as apublic-facing "Internet" server and the other as a backup/DNS server.

All inter/router connections use GigabitEthernet (no slow Serial links here), and the LANs are set up withFastEthernetfor end devices. This keeps things modern and efficient.

IP Addressing and Routing Architecture

For Router1 (R1):

LAN interface: 192.168.10.1/24 serving PCs at 192.168.10.10 and 192.168.10.20
Router links: 10.1.12.1/24 to R2 and 10.1.13.1/24 to R3

For Router2 (R2):

LAN interface: 192.168.20.1/24 serving PCs at 192.168.20.10 and 192.168.20.20
Router links: 10.1.12.2/24 to R1 and 10.1.23.2/24 to R3

For Router3 (R3):

Server LAN: 200.200.200.1/24
Servers: 200.200.200.2 (Web/DNS) and 200.200.200.3 (Backup)

and I made the strategic decision to deploy EIGRP (AS 100) as our routing protocol rather than RIP.

As for the Public server configuration:

The primary server at 200.200.200.2 has been configured to function as a true public resource, mimicking a realworld Internet server:

Assigned a dedicated public IP address (200.200.200.2) without any NAT translation
Full HTTP web service enabled and accessible via (http://200.200.200.2)
DNS service properly configured to resolve "ciscolab" to 200.200.200.2

so by all this, it means that:

Any device on the network can reliably ping, browse, and resolve the server
No NAT-related bottlenecks or complications
True end-to-end connectivity that matches real Internet behavior

As for ACL implementation, I've implemented precise access controls to meet your specific requirements:

so the acl on R1 enforces ur one way ping policy by : Actively blocking ICMP echo requests from R1's LAN (192.168.10.0/24) to R2's LAN (192.168.20.0/24) - also by permitting all ping traffic in the reverse direction (R2 to R1)

***and for sure I intentionally didn’t apply an acl on Router3 because the 200.200.200.2 server is meant to simulate a public Internet resource, which should remain openly accessible. Security is already handled by Router1’s ACL, enforcing the required ping restriction. Adding filters on Router3 would add unnecessary complexity and go against the server’s intended purpose.

also I'd suggest using GNS3 or EVE-NG, my G, cause Packet Tracer has a lot of limitations. I even had to download it again just for you… it's been a long, long time since I last used it.... And if u wanna go deeper with this lab go ahead, im done for today LOOL.

check the topology..... and hope it helps.

-Enes

more Cisco?!
more Gym?!

View solution in original post

OwlKun · ‎07-05-2025

Enes Simnica · ‎07-05-2025

I understand the issue u're facing man. Based on ur description, it seems like the problem could be due to missing static NAT or port forwarding rules. Let me quickly wrap up a meeting I'm in, and I'll test this in the lab right afterward to help troubleshoot further.

more Cisco?!
more Gym?!

Enes Simnica · ‎07-05-2025

hello man. I finally got ur lab working after untangling a web of misconfigurations! Let me break down what was broken and how I fixed everything. This was one of those "nothing works but the errors don't explain why" scenarios LOOL we've all been there!

THe core issues:

The main problems stemmed from fundamental configuration gaps:

Default gateways were set to network addresses (like 10.10.10.0) instead of router interfaces
Servers were completely isolated with no gateways
The 60.60.60.0 "Internet" network didn't actually exist in the topology
NAT was pointing to phantom addresses
DHCP was enabled but not configured anywhere

The Fixes That Made It Work:

Correct Addressing:

Set proper gateways everywhere (PCs now point to their local router interfaces)
Gave the web/DNS server (30.30.30.2) a gateway so it could actually communicate

NAT Overhaul:

Replaced the imaginary 60.60.60.0 NAT with real mappings to Router 2's serial interface:

ip nat inside source static tcp 30.30.30.2 80 50.50.50.2 80
ip nat inside source static udp 30.30.30.2 53 50.50.50.2 53

Routing Repairs:

ip route 20.0.0.0 255.0.0.0 50.50.50.1

Current Connectivity Status: From Network 20 (Router 1):

Can successfully access the Internet server
All devices are reachable
Web/DNS services work via both IP (50.50.50.2) and hostname (labserver.com)

but from network 10 (router 0): still isolated per the original design requirement...

ACL Fixes

the old acl was blocking essential traffic like icmp, and http... I added new rules there:

access-list 100 permit tcp any host 50.50.50.2 eq www  
access-list 100 permit udp any host 50.50.50.2 eq domain

Also try http://50.50.50.2 (Web browser) from the PC2 on 20 network (router 1) u will see the result: Welcome to the lab G!

so for the end: a/fter implementing all the necessary fixes, the topology now functions exactly as intended. Devices in Network 20 behind Router 1 can successfully access the Internet server, with full connectivity to all other permitted devices. The web services are completely operational, responding correctly to both IP address requests (50.50.50.2) and hostname resolution (labserver.com). As designed, Network 10 behind Router 0 remains properly isolated from the other networks, maintaining the original security boundary. Every device in the topology now has correct IP configurations with proper default gateways, subnet masks, and routing information.

If any part of these configurations needs further explanation, I'd be happy to walk through the specific settings or troubleshooting steps in more detail. but overall, that is a good lab man!!

keep going! and hope it helps G!

(check the LAB.zip)

-Enes

more Cisco?!
more Gym?!

OwlKun · ‎07-05-2025

Hello man thank you for the answers, Im taking a look at your file and notice one thing, what I wanted was that the web server was like internet, so that everyone could reach it, but it looks like it got NAT so its not like a proper internet anymore but its still inside the network. Also now the ACL doesnt allow me to ping from the pc connected to router 1 to the one in router 0, while before I wanted them to ping but not viceversa. My main goal in this topology is to make my server reachable by everyone on the topology like a proper internet server, thats where Im getting so confused.

Enes Simnica · ‎07-05-2025

Thanks for clarifying man! I misunderstood ur original goal. all u have to do is first to make the web server act as True internet, and currently the server is NAT'ted behind Router 2 (50.50.50.2). To make it behave like real internet, u need to remove nat entirely, after that place the server outside all private networks (logical dmz) and assing it a unique ip add..: the config should look something like this:

no ip nat inside source static tcp 30.30.30.2 80 50.50.50.2 80
int f0/1
ip add 200.200.200.1 255.255.255.0
no shut
after that add this:
ip route 200.200.200.0 255.255.255.0 f0/1

---

so change the web server ip addresses if u want..

2. fix the acl for icmp = ping:

access-list 100 permit icmp 20.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 echo-reply
access-list 100 deny icmp/ 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255 echo
access-list 100 permit ip any any/

----

so now we have Web server(200.200.200.2 reachable by all networks which it is like a real internet lol.) and no nat involved..

about the security part: server is now logically outside ur private network, and u have clear seperateion between internat/external/

and regarding the solution I shared earlier, that is a really good approach, nothing wrong with that. But all u have to do now, is to modify the Network like u wanna have it, at the end of the day it is ur network topology LOL, u the boss!

hope it helps, and ping me if something goes wrong..

-Enes

more Cisco?!
more Gym?!

OwlKun · ‎07-05-2025

I probably dont understand but I tried to make the changes like you told me but still it doesn't work both the ping and the internet thing, I really dont know what I'm doing wrong to be honest.I relink again the project with the changed ip and ACL to make you able to see where I made the issue and finally find a solution...

OwlKun · ‎07-05-2025

Alright man I made some more changing, like I added a new server and set it up from 0 instead of using the other one, I used a public address and all, also set up the DNS and work now, all pc can now connect straight to the internet, no NAT in between, only the NAT that makes the private address of the Pc's in public address, the ACL ping is back working and also the ACL to block the server to ping the pc. I link now the final version to see if for you it's all right too as well.

Enes Simnica · ‎07-05-2025

Alright man, just wrapped up another long meeting and decided to spend a quick 3 minutes building this lab from scratch.

SO. let me walk you through everything ive built here, this topology is now fully operational and meets all ur original requirements. I started completely from scratch, redesigned the IP scheme, implemented proper routing, and configured services exactly how you needed them. Here’s the full breakdown of what we accomplished. And i used EIGRP instead of RIP (WHY? because, let it die, my friend. please just let it die Hahaha funny)

1. NEtwork Design and device setup/

I constructed a threerouter topology with each router connecting to a dedicated switch. Router1 (R1) and Router2 (R2) each have two PCs attached to their respective switches, while Router3 (R3) hosts two servers one acting as apublic-facing "Internet" server and the other as a backup/DNS server.

All inter/router connections use GigabitEthernet (no slow Serial links here), and the LANs are set up withFastEthernetfor end devices. This keeps things modern and efficient.

IP Addressing and Routing Architecture

For Router1 (R1):

LAN interface: 192.168.10.1/24 serving PCs at 192.168.10.10 and 192.168.10.20
Router links: 10.1.12.1/24 to R2 and 10.1.13.1/24 to R3

For Router2 (R2):

LAN interface: 192.168.20.1/24 serving PCs at 192.168.20.10 and 192.168.20.20
Router links: 10.1.12.2/24 to R1 and 10.1.23.2/24 to R3

For Router3 (R3):

Server LAN: 200.200.200.1/24
Servers: 200.200.200.2 (Web/DNS) and 200.200.200.3 (Backup)

and I made the strategic decision to deploy EIGRP (AS 100) as our routing protocol rather than RIP.

As for the Public server configuration:

The primary server at 200.200.200.2 has been configured to function as a true public resource, mimicking a realworld Internet server:

Assigned a dedicated public IP address (200.200.200.2) without any NAT translation
Full HTTP web service enabled and accessible via (http://200.200.200.2)
DNS service properly configured to resolve "ciscolab" to 200.200.200.2

so by all this, it means that:

Any device on the network can reliably ping, browse, and resolve the server
No NAT-related bottlenecks or complications
True end-to-end connectivity that matches real Internet behavior

As for ACL implementation, I've implemented precise access controls to meet your specific requirements:

so the acl on R1 enforces ur one way ping policy by : Actively blocking ICMP echo requests from R1's LAN (192.168.10.0/24) to R2's LAN (192.168.20.0/24) - also by permitting all ping traffic in the reverse direction (R2 to R1)

***and for sure I intentionally didn’t apply an acl on Router3 because the 200.200.200.2 server is meant to simulate a public Internet resource, which should remain openly accessible. Security is already handled by Router1’s ACL, enforcing the required ping restriction. Adding filters on Router3 would add unnecessary complexity and go against the server’s intended purpose.

also I'd suggest using GNS3 or EVE-NG, my G, cause Packet Tracer has a lot of limitations. I even had to download it again just for you… it's been a long, long time since I last used it.... And if u wanna go deeper with this lab go ahead, im done for today LOOL.

check the topology..... and hope it helps.

-Enes

more Cisco?!
more Gym?!