Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1681
Views
5
Helpful
5
Replies

ACL to Publish my internal website help - please?

Go to solution
twhitney
Level 1
Level 1

‎01-21-2020 12:33 PM - edited ‎02-21-2020 09:50 AM

Hi Everyone,

 

I have scoured the web and have nearly mirrored the setup as outlined here:

https://community.cisco.com/t5/firepower/firepower-publish-internal-webserver/td-p/3672845

 

While following the guidelines for CISCO NAT rules.

 

NAT works as expected except I am hung up on the ACL Rules, and I have been now for the last week.

 

Here is what I have created:

 

I turned the default access rule to allow and then created the last rule to Block all traffic.

If I turn off the "Block all Traffic" Then NAT works as expected and everyone from the outside world can access my internal webserver. by the IP specified.

 

What do I need to do with my ACL list to allow my "WebserverPublic" to correctly work?

ACLCapture.PNGNATCapture.PNG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎01-21-2020 12:38 PM

Hi,
Are you expecting the traffic to hit rule #1 - InternalServer1?

Amend your rule, the source should be "any" and the destination would be "WebServerPrivate", as you always specify the real IP address in the ACL not the public IP address.

HTH
0 Helpful

Go to solution
twhitney
Level 1
Level 1
In response to Rob Ingram

‎01-22-2020 07:21 AM - edited ‎01-22-2020 07:22 AM

Thank you for the advice RJI,

 

I did as you suggested and edited the rule as shown.

 

The trace comes back as follows.

 

However, unless I switch the default access control to allow, this does not work.EditedCapture.PNG

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to twhitney

‎01-22-2020 07:26 AM

Remove the source port of HTTP

Go to solution
twhitney
Level 1
Level 1
In response to Rob Ingram

‎02-13-2020 12:31 PM

I had this working until I added an IPSEC tunnel.

 

Now Outbound binding an IP address to the server works but inbound External IP to the inbound server fails.

 

Show nat has this:

 

 

show nat 
Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static |s2sAclSrcNwgV4|09582272-4783-11ea-9fed-71eba22fa0ae |s2sAclSrcNwgV4|09582272-4783-11e
a-9fed-71eba22fa0ae  destination static |s2sAclDestNwgV4|09582272-4783-11ea-9fed-71eba22fa0ae |s2sAclDestNwgV4|09582272-4
783-11ea-9fed-71eba22fa0ae no-proxy-arp route-lookup
    translate_hits = 280, untranslate_hits = 280
2 (inside) to (outside) source dynamic WebServerPrivate WebServerPublic 
    translate_hits = 47, untranslate_hits = 0
3 (inside) to (outside) source dynamic any-ipv4 interface 
    translate_hits = 26, untranslate_hits = 0
 
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static WebServerPrivate WebServerPublic  service tcp www www 
    translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf3 interface  service tcp https https 
    translate_hits = 0, untranslate_hits = 288
3 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf2 interface 
    translate_hits = 1134, untranslate_hits = 0
4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface 
    translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (internal-devnet) source dynamic nlp_client_0_intf4 interface 
    translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (dmz) source dynamic nlp_client_0_intf5 interface 
    translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf6 interface 
    translate_hits = 0, untranslate_hits = 0
8 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
9 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
10 (nlp_int_tap) to (internal-devnet) source dynamic nlp_client_0_ipv6_intf4 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
11 (nlp_int_tap) to (dmz) source dynamic nlp_client_0_ipv6_intf5 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
12 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf6 interface ipv6 
    translate_hits = 0, untranslate_hits = 0cisco-failed-inbound-nat.PNGSimple-Nat-Rules.PNG

 

Preview file
70 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to twhitney

‎02-13-2020 12:49 PM

Remove your first nat rule (it's not needed if you have rule #3) and move the 2nd nat rule to Manual NAT (Section 3) - ensure your WebServer rules is above your dynamic nat rule.

If that doesn't work run packet-tracer from the CLI and provide the output. e.g "packet-tracer input outside tcp 8.8.8.8 3000 <your public ip> 80"
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card