×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Pix515E and DMZ access to web server

Unanswered Question
Oct 16th, 2006
User Badges:

I have a web server living on my DMZ. But for the life of me cannot access it from the outside (Internet). Here is my current config, another pair of eyes checking the config would be helpful. My public address for the web server is xxx.xx.30.110 and in the dmz it is 192.168.254.110.


Thanks



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.kiprawih Mon, 10/16/2006 - 16:26
User Badges:
  • Gold, 750 points or more

Hi,


In firewall, you can do the following:


1. Mapped the server's IP (in DMZ) to the public IP of xxx.xx.30.110

static (dmz,outside) .....


2. Create ACL on outside interface, or add to the existing ACL. Make sure you do not put the entry after 'access-list deny ip any any' statement. This ACL should permit TCP-www access to the server.



3. For testing purposes, allow ICMP to the server so that you can verify it is reachable from internet.

Remove this once ping test is successful, or allow only trusted host to ping it.


4. Optional: make sure route to internet/internet router is defined correctly

route outside 0.0.0.0 0.0.0.0


Example:


access-list outside permit tcp any host xxx.xx.30.110 eq www

access-list outside permit icmp any host xxx.xx.30.110

access-list outside deny ip any any


static (dmz,outside) xxx.xx.30.110 192.168.254.110


access-group outside in interface outside


route outside 0.0.0.0 0.0.0.0 xxx.xx.30.y (xxx.xx.30.y = internet router)



HTH

AK

Actions

This Discussion