cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
231
Views
0
Helpful
1
Replies

Pix515E and DMZ access to web server

nyanglers
Level 1
Level 1

I have a web server living on my DMZ. But for the life of me cannot access it from the outside (Internet). Here is my current config, another pair of eyes checking the config would be helpful. My public address for the web server is xxx.xx.30.110 and in the dmz it is 192.168.254.110.

Thanks

1 Reply 1

a.kiprawih
Level 7
Level 7

Hi,

In firewall, you can do the following:

1. Mapped the server's IP (in DMZ) to the public IP of xxx.xx.30.110

static (dmz,outside) .....

2. Create ACL on outside interface, or add to the existing ACL. Make sure you do not put the entry after 'access-list deny ip any any' statement. This ACL should permit TCP-www access to the server.

3. For testing purposes, allow ICMP to the server so that you can verify it is reachable from internet.

Remove this once ping test is successful, or allow only trusted host to ping it.

4. Optional: make sure route to internet/internet router is defined correctly

route outside 0.0.0.0 0.0.0.0

Example:

access-list outside permit tcp any host xxx.xx.30.110 eq www

access-list outside permit icmp any host xxx.xx.30.110

access-list outside deny ip any any

static (dmz,outside) xxx.xx.30.110 192.168.254.110

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xx.30.y (xxx.xx.30.y = internet router)

HTH

AK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: