Cisco Support Community
Community Member

Can't Seem To Connect To Webserver From Outside


I tried to searh for a similar topic and have tried different suggestions noted here and I can't seem to fix this problem.

I have a pix 506e and I'm trying to assign one of my assigned IP's from my ISP to my web server, which also has a static internal IP.

The following is my configuration settings:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxx

hostname pixfirewall


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 101 permit tcp host xx.xx.xx.53 host xx.xx.xx.53 eq www log

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xx.50

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm location xx.xx.xx.53 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 xx.xx.xx.54-xx.xx.xx.62 netmask

global (inside) 1

nat (inside) 10 0 0

static (inside,outside) xx.xx.xx.53 netmask 0 0

access-group 101 in interface outside

route outside xx.xx.xx.49 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Basically I'm trying to connect my outside IP of xx.xx.xx.53 to my internal IP I have a feeling I did something wrong but I'm just not experienced enough to figure it out.

I also want to note that all the internal systems including the webserver can go out without issues.


Community Member

Re: Can't Seem To Connect To Webserver From Outside


The problem is with the ACL 101

change the line to

access-list test permit tcp any host xx.xx.xx.53 eq www log

access-group test in interface outside

This new ACL will allow connections from any external IP. Once it works , you can restrict access again to the allowed external IP addresses.

Youi can check your connections with

show conn

Hope this helps ... rate if it helps !

Community Member

Re: Can't Seem To Connect To Webserver From Outside

It worked! Thank you for the help. Do you have any recommendations to try keep the webserver (and the rest of the servers behind the firewall) as secure as possible?

Community Member

Re: Can't Seem To Connect To Webserver From Outside

Great ! It worked !

There are a couple of lines I dont understand , and in my opinion you should erase

1.- The configuration has some dhcp config , if you are not planning to use dynamic IP allocations do

conf term

clear dhcpd

2.- In my opinion this line global (inside) 1 is wrong

conf term

no global (inside) 1

3.- Change this line

nat (inside) 10 0 0


nat (inside) 10

this will allow outbound services only to IP addreses on the inside IP range.

4.- Enable ip verify on all interfaces as a security precaution.

conf term

ip verify reverse-path in interface inside

ip verify reverse-path in interface outside

Post a message if in doubt !

Bye !

Community Member

Re: Can't Seem To Connect To Webserver From Outside


1.- Every time you modify a static command line you have to send a clear xlate , so any previous change will take effect .

do a

config term

clear local

clear xlate

this will interrupt all connections for a brief moment

2.- Check the web application from inside , from an internal workstation type

3.-From an external workstation browse by IP address not by domain name, at your browser type http://xx.xx.xx.53 if this works it will indicate a DNS resolution problem.

4.-Check the route table at your web server ( it should have a default route pointing to your internal PIX IP (

5.-Enable log

This will send all log information to your pix serial console , pix buffer , telnet/ssh terminal

conf term

logg mon 6

logg buff 6

logg mon 6

logg on

term mon

check the log at the moment you try to connect from an outside IP to correlate events.

Hope this helps ! Post any result

CreatePlease to create content