PIX 515 w/WEB Server config

Unanswered Question
Aug 8th, 2007


I have a PIX 515 with two interfaces, inside ( and outside (

The web server ip is I have a static translation to

My access list is wide open...

permit tcp any any

permit udp any any

permit icmp any any

I can access the web server console, ssh, ftp, from the outside but I can't reach the app hosted on the webserver.

Is it safe to assume that if I can reach the web server console, that I should be able to reach the app too? It's the same IP and port.

Do I need a global pool and NAT if I have statics?

The app works fine when accessed from the subnet. I'm wondering if the developers are using hard coded ip's in the code.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 08/09/2007 - 00:01


You don't need a global pool and Nat for allowing machines outside your firewall to access your web server.

If you can access the web server on all other ports but the app does not work i would go back to the app guys as you say and ask them.

It could be related to DNS lookups.



dmcdowall Thu, 08/09/2007 - 02:57

Thanks! This is being done in a lab environment now. We don't have a DNS server. The clients are going through two routers prior to the pix. When I take the pix out it works fine. The problem seems to occur once the address translation takes place.

Jon Marshall Thu, 08/09/2007 - 03:10

If you think it is the NAT that is breaking it have a word with your apps guys.

Are they doing any authentication based on the IP address ?


dmcdowall Thu, 08/09/2007 - 03:15

Is there any way to set this up and still use as the destination? I didn't think that would be possible since it's a private address?

dmcdowall Thu, 08/09/2007 - 12:50

Thanks Jon! The developers found a problem with their code. I've been pulling my hair out for nothing.


This Discussion