HTTP Access to DMZ server

[rasoft]

Hi,

I have added a web server to DMZ interface 172.100.3.1. Web server address is 172.100.3.2.

I have added static nat from 172.100.3.2 to external ip, lets say 99.99.99.99

I have created an access list giving outside (any)to dmz http access to the host.

access-list outside_access_in; 1 elements
access-list outside_access_in line 1 permit tcp any eq

http://www host

OWA eq

http://www (hitcnt=0)

When I try to connect i get denied by "access-group "outside_access_in".

I have this bound to outside interface

"access-group outside_access_in in interface outside"

When I allow IP any on the access list it works.

Where am I going wrong?

Default gateway of the web server is set to DMZ interface - is this correct?

(Note I have set up NAT from internal-DMZ and this works fine).

 

[rasoft]

NOTE:

If I change the source port on the access-list rule to any and destination http it works.

Would that create a secruity problem?

 

[rasoft]

NOTE - called Cisco TAC.

Documenation on p14 of Quick Start Guide is incorrect.

You need to allow any source to http destination.

The documentation show it the other way around which will never work because source port is always random.