• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

web access from outside into dmz- PIX 515E

I need to setup our pix firewall to grant access into the dmz for web and 8080 access.  Currently the server in the dmz can access the web and users interally can access the DMZ via web.   For the life of me I cannot figure out why web access isn't enabled the other way through.
Below is our current PIX Config...

Thanks,

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50


access-list outside_access_in permit tcp any host 209.209.209.236 eq www
access-list outside_access_in permit tcp any host 209.209.209.236 eq 8080
pager lines 24
logging on
icmp permit 10.101.1.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 209.209.209.238 255.255.255.248
ip address inside 10.101.1.254 255.255.255.0
ip address dmz 10.101.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 209.209.209.236 10.101.10.1 netmask 255.255.255.255 0 0
static (inside,dmz) 10.101.1.0 10.101.1.0 netmask 255.255.255.0 25 5
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.209.209.233 1
http server enable
http 10.101.1.245 255.255.255.255 inside
http 10.101.1.0 255.255.255.255 inside
http 10.101.1.120 255.255.255.255 inside

0
billfry
Asked:
billfry
1 Solution
 
graemeboroCommented:
Have you entered the command :-

fixup protocol http port 8080

This command essentialy tells the pix that http can run on 8080 as by default the pix will not recognise this.

Graeme
0
 
billfryAuthor Commented:
Initially,  i want to make sure that 80 will work coming from the outside.  That is my major hurdle now.  Once that is in place,  then i can worry about 8080.
0
 
martapCommented:

did you try rebooting the pix?

are you absolutely sure port 80 is not blocked by your isp or a device sitting in front of your pix?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
billfryAuthor Commented:
Yup,  our isp doesn't block anything.
0
 
nodiscoCommented:
Longshot - but since I am assuming this has not worked before, can you confirm with the ISP that the 209.209.209.236 address is available as one of your public addresses?
0
 
billfryAuthor Commented:
It is avaliable,  i had to get a cisco engineer to help me with this problem.  Please close.
0
 
martapCommented:

Can you maybe elaborate on the solution?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now