FWSM:Allowing HTTP on another port:Inspection

Unanswered Question
May 4th, 2009
User Badges:


Internet ---- FWSM (ver 3.2(8)) ---Serverfarm

we have a server which has an application that listens on port 55005.The way the appliction is accessed is by http://public-ip:55005. I have opened port 55005 on the fwsm and the static and access-lists are as follows

static (dmzSERVER,OUTSIDE) public-ip private-ip netmask

access-list FR_OUTSIDE extended permit tcp any host public-ip eq 55005

access-group FR_OUTSIDE in int OUTSIDE

The issue is that i get the login page.As soon as enter the username and password and hit enter it says page cannot be displayed. On logging the FWSM i cannot find anything being dropped.

I also tried application inspection for http using the following configuration.

class-map HTTP

match port tcp eq 55005

policy-map HTTP

class HTTP

inspect http

service-policy HTTP interface OUTSIDE

Now when the outside user tries http://public-ip:55005 i can see that there are hits for the above inspection and that nothing is dropped.But still after supplying the username and password we still get page cannot be displayed. I havent tried with an HTTp map though.

I believe this has got something to do with http traffic going on port 55005. locally everything works OK.

if any one has some ideas regarding this please help



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sadbulali Fri, 05/08/2009 - 05:35
User Badges:
  • Bronze, 100 points or more

Check the security level of the interfaces. Traffic does not go through the FWSM from a higher security interface to a lower security interface. You did not apply an access list to the higher security interface to allow traffic through. Unlike the PIX firewall, the FWSM does not automatically allow traffic to pass between interfaces.

Apply an access list to the source interface to allow traffic through.


This Discussion