Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM:Allowing HTTP on another port:Inspection


Internet ---- FWSM (ver 3.2(8)) ---Serverfarm

we have a server which has an application that listens on port 55005.The way the appliction is accessed is by http://public-ip:55005. I have opened port 55005 on the fwsm and the static and access-lists are as follows

static (dmzSERVER,OUTSIDE) public-ip private-ip netmask

access-list FR_OUTSIDE extended permit tcp any host public-ip eq 55005

access-group FR_OUTSIDE in int OUTSIDE

The issue is that i get the login page.As soon as enter the username and password and hit enter it says page cannot be displayed. On logging the FWSM i cannot find anything being dropped.

I also tried application inspection for http using the following configuration.

class-map HTTP

match port tcp eq 55005

policy-map HTTP

class HTTP

inspect http

service-policy HTTP interface OUTSIDE

Now when the outside user tries http://public-ip:55005 i can see that there are hits for the above inspection and that nothing is dropped.But still after supplying the username and password we still get page cannot be displayed. I havent tried with an HTTp map though.

I believe this has got something to do with http traffic going on port 55005. locally everything works OK.

if any one has some ideas regarding this please help



New Member

Re: FWSM:Allowing HTTP on another port:Inspection

Check the security level of the interfaces. Traffic does not go through the FWSM from a higher security interface to a lower security interface. You did not apply an access list to the higher security interface to allow traffic through. Unlike the PIX firewall, the FWSM does not automatically allow traffic to pass between interfaces.

Apply an access list to the source interface to allow traffic through.