Solved

Can't access website through Cisco PIX 506E firewall

Posted on 2008-06-26
2
766 Views
Last Modified: 2010-04-21
I have developed a website on our LAN that I am able to access internally using the servers name/IP address (192.168.0.3). However, I am not able to access the website externally from other locations. I am convinced that I have something wrong in the Cisco PIX 506E firewall but am unable to figure out what it is. I don't have any Cisco credentials and only know how to change the settings using the PDM console.
Under "Access Rules" I have created a rule to Allow, Source: Any, Destination: 192.168.0.3, Interface: outside, Service: http/tcp.
Under "Translation Rules" I have created a rule: (Original) Interface: inside,  Address 192.168.0.3 Port 80/TCP, (Translated) Interface: Outside, Address: Interface IP Port 80/TCP.
Both of these rules are setup identically (other than port numbers) to the rules I successfully setup for FTP and for Remote Desktop forwarding so I really can't understand why this isn't working.
I can open the website internally by entering: http://192.168.0.3/homepage.html
I can not open the website externally by entering: http://<external IP address>/homepage.html, I get the standard error message "Internet Explorer cannot display the webpage" in my browser window.
I have tried Firefox as well to eliminate the possibility of it being a browser issue.
I'm not worried or concerned about DNS, I'm simply using the static external IP address.

Thanks in advance for you suggestions,
Marty
0
Comment
Question by:mgerman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
mabutterfield earned 500 total points
ID: 21875995
your acl should have the external IP of the device

log into the device via ssh, or through a console cable and program such as hyper terminal.

do a 'show run' to list the running config.  Compare the access-list lines to below.


access list outside_access_in extended permit tcp any host <outsideIP> eq 80

the nat translation should look like this

static (inside, outside) <outsideIP> 192.168.0.3 netmask 255.255.255.255

if they are wrong, type
 'configure terminal'
'no' <copy and paste the wrong line>
paste the correct line (as listed above with correct ip addresses

when finished, type
'end'

test it out, if it works, type

'write'

0
 

Author Closing Comment

by:mgerman
ID: 31471023
Thank you!! I was able to use your suggestion to make this work. In the PDM I found an option to show the running configuration. Using that, I found the lines you indicated. Then I found an option to manually enter commands and entered "no" with the wrong commands as you said. Then I tried entering your commands (with my addresses). I did get errors with them so I took existing (working) commands from the running config and copied them, modified the ports & ip addresses, pasted them into the command line tool. End result, it works! FYI, the running commands that worked for me are:
access-list outside_access_in permit tcp any interface outside eq www
and:
static (inside,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255 0 0
Thank you!!
Marty
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question