• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

web access from outside into dmz- PIX 515E

I need to setup our pix firewall to grant access into the dmz for web and 8080 access.  Currently the server in the dmz can access the web and users interally can access the DMZ via web.   For the life of me I cannot figure out why web access isn't enabled the other way through.
Below is our current PIX Config...


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

access-list outside_access_in permit tcp any host eq www
access-list outside_access_in permit tcp any host eq 8080
pager lines 24
logging on
icmp permit inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside
ip address inside
ip address dmz
ip audit info action alarm
ip audit attack action alarm

arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
nat (dmz) 1 0 0
static (dmz,outside) netmask 0 0
static (inside,dmz) netmask 25 5
access-group outside_access_in in interface outside
route outside 1
http server enable
http inside
http inside
http inside

1 Solution
Have you entered the command :-

fixup protocol http port 8080

This command essentialy tells the pix that http can run on 8080 as by default the pix will not recognise this.

billfryAuthor Commented:
Initially,  i want to make sure that 80 will work coming from the outside.  That is my major hurdle now.  Once that is in place,  then i can worry about 8080.

did you try rebooting the pix?

are you absolutely sure port 80 is not blocked by your isp or a device sitting in front of your pix?
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

billfryAuthor Commented:
Yup,  our isp doesn't block anything.
Longshot - but since I am assuming this has not worked before, can you confirm with the ISP that the address is available as one of your public addresses?
billfryAuthor Commented:
It is avaliable,  i had to get a cisco engineer to help me with this problem.  Please close.

Can you maybe elaborate on the solution?

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now