Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX 515 w/WEB Server config

Hi,

I have a PIX 515 with two interfaces, inside (10.0.0.1) and outside (200.200.201.2).

The web server ip is 10.0.0.237. I have a static translation to 200.200.201.237.

My access list is wide open...

permit tcp any any

permit udp any any

permit icmp any any

I can access the web server console, ssh, ftp, from the outside but I can't reach the app hosted on the webserver.

Is it safe to assume that if I can reach the web server console, that I should be able to reach the app too? It's the same IP and port.

Do I need a global pool and NAT if I have statics?

The app works fine when accessed from the 10.0.0.0 subnet. I'm wondering if the developers are using hard coded ip's in the code.

6 REPLIES
Hall of Fame Super Blue

Re: PIX 515 w/WEB Server config

Hi

You don't need a global pool and Nat for allowing machines outside your firewall to access your web server.

If you can access the web server on all other ports but the app does not work i would go back to the app guys as you say and ask them.

It could be related to DNS lookups.

HTH

Jon

Community Member

Re: PIX 515 w/WEB Server config

Thanks! This is being done in a lab environment now. We don't have a DNS server. The clients are going through two routers prior to the pix. When I take the pix out it works fine. The problem seems to occur once the address translation takes place.

Hall of Fame Super Blue

Re: PIX 515 w/WEB Server config

If you think it is the NAT that is breaking it have a word with your apps guys.

Are they doing any authentication based on the IP address ?

Jon

Community Member

Re: PIX 515 w/WEB Server config

Is there any way to set this up and still use 10.0.0.237 as the destination? I didn't think that would be possible since it's a private address?

Hall of Fame Super Blue

Re: PIX 515 w/WEB Server config

Unfortunately not if you need to route this across the Internet no.

Community Member

Re: PIX 515 w/WEB Server config

Thanks Jon! The developers found a problem with their code. I've been pulling my hair out for nothing.

433
Views
0
Helpful
6
Replies
CreatePlease to create content