Internal website through PIX 515E

Unanswered Question

I recently became the network administrator for a small local government entity. I have been thrust into the world of CISCO which is fine but I have a lot to learn. I have a CISCO PIX 515E firewall and I need to configure it so that when a link on the website(hosted outside the company) is clicked, it will point to a GIS server running apache inside our network. I have absolutely no idea how to do this in the CLI. I'm sorry if I'm asking too much here but any help would be appreciated. The apache server works internally so at least that much is set up correctly. I just need the general public to be able to access it from the outside.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
andrewdykes Tue, 05/29/2007 - 14:01

Is the apache server publicly addressable or does it have a private IP?

acomiskey Wed, 05/30/2007 - 05:56

All you need is a static and an access-list statement.

public ip =

private ip =

static (inside,outside) netmask

access-list permit tcp any host eq 80

access-group in interface outside

If is also the outside address of your pix then you can do this

static (inside,outside) interface netmask

or port forward

static (inside,outside) tcp interface 80 80 netmask

As far as dns goes, the solution for that depends on where your dns server is. If it is outside then you can do dns doctoring, if it is inside and is returning the outside address you can do hairpinning on the inside interface with pix 7.

The dns is handled by the server(this is a single server situation). I have entered in those commands before(i.e. the static, access-list, and access-group commands) and had no luck. If I go to a browser and type in the IP address of the computer hosting this apache server, it comes up just as it should. But, should it work the same way if I come from an outside ip address such as...I go to my house, open a browser and type in "" will it route to the apache server on the internal address and come up properly? If there is any other information that you need please ask and I will provide what I can.

And thank you to all who are trying to help my poor cisco ignorant self.

acomiskey Wed, 05/30/2007 - 07:54

Yes, the pix would make the translation between the public address, and the private one. Could you possibly post your pix config? Remove passwords etc. Give us the inside address of the server and the address you are attempting to hit from the outside, and is this address the same as your outside interface on pix?

There was a tcp interface forwarded to I removed it because it was conflicting with the forward I was trying to do to Not to mention that there is no within my network. That may have been leftover from before they moved when they still hosted their own website. The outside IP address I would rather not give out. the outside address of the PIX is our one and only public IP address. So yes it is the same. Modified config attached...

acomiskey Wed, 05/30/2007 - 09:08

Access-list is wrong, this would only allow a source of to a destination of Change it to this...

no access-list outside_access_in permit tcp host host eq www

access-list outside_access_in permit tcp any host eq www

access-group outside_access_in in interface outside

This can be removed...

static (inside,outside) tcp www www netmask 255.255

.255.255 0 0

and if you don't have a 100.11 you can remove these too...

static (inside,outside) tcp interface smtp smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp interface 32000 32000 netmask 255.255

.255.255 0 0

static (inside,outside) tcp interface 32001 32001 netmask 255.255

.255.255 0 0

static (inside,outside) udp interface 32000 32000 netmask 255.255

.255.255 0 0

static (inside,outside) udp interface 32001 32001 netmask 255.255

.255.255 0 0

static (inside,outside) tcp interface pop3 pop3 netmask 255.255.2

55.255 0 0

acomiskey Wed, 05/30/2007 - 11:36

Sorry, I'm pretty much out of ideas. It should work fine. You might as well get rid of access-lists 140, smtp.1, and smtp.2 as they are not being used.

When trying from the outside you aren't coming across the vpn tunnel you have configured are you?

Definitely not coming across the vpn. It needs to be accessible to the general public. Thanks again for all your time and effort. I'll sit here and ponder it some more. The guy who was here before me didn't set this up. He called in another company to do it for him so there are some entries in there that probably don't need to be. The only ip addresses that I changed in the config other than the pulic to were changed to x's. Anything that is in there as 0's or the 10.211 which is a separate IP pool that connects to the same server are all the exact IP addresses. Don't know if that makes a difference.

acomiskey Wed, 05/30/2007 - 11:40

Have you tried write mem and rebooting?

Post a thread over in the Firewall forum with your config, that may help.

acomiskey Wed, 05/30/2007 - 12:41

Ha, I think a rating is deserved after all that. Anyway, let me know if you want to work out the other problem. Enjoy.

other problem? I could care less if they can't hit the external IP from inside the network. It's for the public to be able to access the most updated maps of our area through our 911 service. Unless there's another issue that I'm forgetting, everyone can just hit the local IP from inside the network if they want to see it.

Thanks again.

scottmac Tue, 05/29/2007 - 14:57

This would not be a PIX thing; it would be a DNS thing.

You need an internal DNS with the domain names resolving to your internal addresses. This has to be configured as the first DNS on the client.

The links/URLs on your website must be domain names, not IP addresses ... or if you're using a dynamic web, the script language should query the client's environment and determine if it's inside or outside and send the appropriate address.

So, from the inside, when the client browser asks for ... the local DNS serves up the internal address ... when someone outside requests that URL, it is given teh correct Outside address to access your site.

I believe the Pix can only "hairpin" from VPN tunnel to VPN tunnel (and only with recent code i.e., > 6.3{something}).

Good Luck



This Discussion