Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot open website from outside

Status
Not open for further replies.
marslove

marslove

IS-IT--Management
Apr 18, 2007
30
0
0
US
Cannot open website from outside.

access-list 122 permit tcp any eq domain any
access-list 122 permit udp any eq domain any
access-list 122 permit icmp any any
access-list 122 permit tcp any host 192.168.x.x eq access-list 122 permit tcp any any established
access-list 122 permit udp any any range 10000 20000
access-list 122 permit udp any any eq 5060
access-list 122 permit tcp any any eq 5060
access-list 122 permit tcp any any eq 3389
access-list 122 permit tcp any any eq 7000
access-list 122 permit tcp any eq ftp any established
access-list 122 permit tcp any gt 1024 any established
access-list 122 permit tcp any any eq 22
access-list 122 deny ip any any

This line should permit www
access-list 122 permit tcp any host 192.168.x.x eq
If I remove access-group from inbound interface it works

Thanks
 
Sort by date Sort by votes
the established part sys only allow them if there as been a connection started from INSIDE already ...
you have to remove that if you are allowing incoming


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Upvote 0 Downvote
I tryed that by removing established
Still dos not work

Thanks
 
Upvote 0 Downvote
I concur with 'imbadatthis'. After removing 'established' keyword, what IP you are trying to reach? 192.168.x.x is non routable on internet. Do you have static 'nat' configured on the router for this server? If so, allow the ACL to access public IP.

Hth
MS
 
Upvote 0 Downvote
Of coerce I am trying external IP. 192.168.x.x is internal IP address of And its nated. Like so

“Ip nat inside source static tcp 192.168.x.x 80 interface fa0/0 80”

I sad when I remove access-group from the interface it works fine, that when I apply it Its stops working

Thanks
 
Upvote 0 Downvote
You need to remove the host address in the ACE. When you remove the ACL from outside you are permitting all traffic inbound so when someone tries to get at your web server they will not have any issues. When you apply the ACL things are restricted. The specific ACE you are referring to will permit return traffic to 192.168.x.x which is not what you want. Remove the host entry from the ACE and re-apply the ACL. You should consider upgrading your IOS to the security image so you can run CBAC/ZBF so you have a stateful firewall.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I removed host part and it worked

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
62
DTGMI
DTGMI
DrB0b
  • Locked
  • Question
Moving LAG from one switch to another, hopefully w/o downtime 1
Replies
2
Views
60
DrB0b
DrB0b
jakob314
  • Locked
  • Question
Cannot create VLAN using Network assistant
Replies
3
Views
65
PScottC
PScottC
DarthPanda
  • Locked
  • Question
No Telnet after NAT outside
Replies
2
Views
44
DarthPanda
DarthPanda
thad100g
  • Locked
  • Question
Can connect using Cisco VPN Client but cannot connect to statically mapped
Replies
0
Views
38
thad100g
thad100g

Part and Inventory Search

Sponsor

Back
Top