Hi Huseyin

Thanks for your reply. Need to know that why

i should use this command

static (dmz,outside) publicip webserverip netmask 255.255.255.255 dns

because i just want to publish webserver so y in this we should mention dns.

other thing i want to ask shouldn't i use

conduit permit tcp host webserverip eq www any

instead of access-list because it is mentioned in cisco website that for lower security level to higher security level we should use conduit command. and to allow access for my internal user to website i should use nat & global commands.

Regards

"dns" switch at the end enables dns doctoring for that specific entry. If you dont do dns doctoring, whenever an inside user tries to reach www.youwebsite.com, your Public address will be returned and this will create a U turn traffic which will result with a drop. In DNS doctoring, If the specified traffic is met (an inside host tries to reach www.yourwebsite.com, ) that static with DNS command will re-write the DNS query by putting the private ip of Web server in DMZ instead public IP and you will reach webserver directly. But If you have a DNS server locally that all clients pointed to that and you can create a host record for www in yourwebsite.com domain, dns doctoring wont be needed at all, but just in case, I put it there.

conduit statement is depreceated, it was used before 6.3 IOS it is no longer supported. You have to use ACLs instead. You have an IOS greater than 6.3 in PIX 515E correct ?

and for your clients located in inside interface to be able to connect dmz, second static command is necessary. It will make the webserver located in DMZ not to be translated in NAT and reached directly. You wont need further NAT&Global commands.

Regards

Thanks Very Much i will try this scenerio and i will inform u. Also yes my Pix515e software version is 6.3(4).

Thanks

You are welcome kashif, looking forward to hear from you about the progress. I suggest you to upgrade your IOS to at least 6.3(5), and my recommendation is 7.2(3)

Regards

Dear husycisco

I have cnfigure my firewall for inbound access but in my log it shows

deny tcp src outside:ipaddress dst dmz:ipaddress/80 by access-group "inbound"

i have attached my config file.

can u please help me and tell me what mistake i am doing.

thanks

Hi Kashif,

I assume your code 6.3(4) is still running with conduits. Please add the following

no access-list inbound permit tcp any host 91.140.255.220 eq www

no access-group inbound in interface outside

conduit permit tcp host 91.140.255.220 eq www any

Regards

Hi

I tried these commands also but its not working still.

Also in syslog i didnt get any error message i rechecked the conectivity of my firewall to internet and its ok. i can use vpn connection from my home.

but still i cant access the website.

Dear husycisco

Thank you very much for your advise . after putting the default gateway i can access my website from internet.

other thing i want to ask u how i can publish the website for internal users. before u suggest me to use static command with access-list now but my firewall ios version is 6.3 so i can use cnduit command.

so how i can publish my website for internal users.

thank u very very much for your help.

dear husycisco

i have change my configuration from conduit command to access-list and it is working fine also.

i think before i didnt succed becz the gateway was not configured to web server.

now i want to give access to internal users to the web site so what should i configure.

also to manage the webiste i want to give access to developers internal network so they can connect through remote desktop to web server.

thanks

Kashif,

You are welcome :) Add the following

static (dmz,inside) webserver webserver netmask 255.255.255.255

access-list hadi line 2 permit 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit developersnetwork developersnetmask host webserver eq 3389

Dear husycisco

the static command was accecepted by the firewall but i wasnt able to access the website from internal user, i tried to access with the ip address.

both access-list command was not accepted by the firewall and i couldn configure it.

it seems like some parameter was missing.

Hmm, try this

access-list hadi line 2 permit ip 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit ip developersnetwork developersnetmask host webserver eq 3389