web access from outside into dmz- PIX 515E

Posted on 2005-04-17
Last Modified: 2013-11-16
I need to setup our pix firewall to grant access into the dmz for web and 8080 access.  Currently the server in the dmz can access the web and users interally can access the DMZ via web.   For the life of me I cannot figure out why web access isn't enabled the other way through.
Below is our current PIX Config...


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

access-list outside_access_in permit tcp any host eq www
access-list outside_access_in permit tcp any host eq 8080
pager lines 24
logging on
icmp permit inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside
ip address inside
ip address dmz
ip audit info action alarm
ip audit attack action alarm

arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
nat (dmz) 1 0 0
static (dmz,outside) netmask 0 0
static (inside,dmz) netmask 25 5
access-group outside_access_in in interface outside
route outside 1
http server enable
http inside
http inside
http inside

Question by:billfry
    LVL 4

    Expert Comment

    Have you entered the command :-

    fixup protocol http port 8080

    This command essentialy tells the pix that http can run on 8080 as by default the pix will not recognise this.


    Author Comment

    Initially,  i want to make sure that 80 will work coming from the outside.  That is my major hurdle now.  Once that is in place,  then i can worry about 8080.
    LVL 5

    Expert Comment


    did you try rebooting the pix?

    are you absolutely sure port 80 is not blocked by your isp or a device sitting in front of your pix?

    Author Comment

    Yup,  our isp doesn't block anything.
    LVL 19

    Accepted Solution

    Longshot - but since I am assuming this has not worked before, can you confirm with the ISP that the address is available as one of your public addresses?

    Author Comment

    It is avaliable,  i had to get a cisco engineer to help me with this problem.  Please close.
    LVL 5

    Expert Comment


    Can you maybe elaborate on the solution?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now