Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

From Firewall to Web Server

My situation is like this: The firewall has a static public IP address (, and a Web Server is connect to the firewall in the DMZ, the Application Server and the Database Server are connected to the firewall from the inside interface. All the IP addresses of the Web, Application, and the Database Servers are private IPs such as 192.168.2.x (where x = 2, 3, 4). Some web applications are deployed to this system (on Application Server such as

This will be what I expected: a user launches the web browser and types in, trying to access the web application. The DNS server will direct the request to the firewall ( Once the firewall receives the request, it will forward the request to the web server. The web server’s HTTP server will pass through the firewall and send the request to the application server, which in turn queries the database.

My questions are:

1) Can the firewall (which has a public static IP) direct the request to the web server (which has a private IP) in the DMZ? If so, how does it do it? Do I need to configure the firewall?

2) How does the HTTP server (installed on the web server) send the request passing through the firewall? Any special configuration? Or by default.

3) If the firewall comes with the VPN capability, can I remotely access the web server, the application server and the database server via this firewall?

4) Can I have the same web server to carry out both the caching and HTTP functions?

Thanks to help.



Re: From Firewall to Web Server

What Firewall are you using ? I suppose a PIX ?

1.) Yes you can for example for a PIX Firewall foward a port 80 or port 443 in TCP to a DMZ host which is your Web Server.

2.) Then to to allow your web server to connect to the Database server on the inside, for that you need to create an access-list that allows your server to do so on the DMZ interface.

Usually you disable Network address translation between the DMZ and Inside network.

3.) Yes, you can install a web server and the Proxy server on the same server.

Example config:

# The first two lines permit all http and https traffic from the Internet to the outside interface IP which is then forwarded to your Web Server.

access-list outside permit tcp any interface outside eq 80

access-list outside permit tcp any interface outside eq 443

access-group outside in interface outside

# NAT Port forwarding of port 80 and 443 to dmz WWW server

static (dmz,outside)tcp interface 80 WWW-DMZ-IP 80 netmask

static (dmz,outside)tcp interface 443 WWW-DMZ-IP 443 netmask

# Disable NAT between inside and DMZ interface

static (inside,dmz) Inside-Network Inside-Network netmask

# Create an access-list that permits DMZ WWW Server to communicate with inside Database server.

access-list dmz permit tcp host WWW-DMZ-IP host INSIDE-DB eq XX

access-list dmz permit tcp host WWW-DMZ-IP host INSIDE-DB eq XY

access-list dmz permit udp host WWW-DMZ-IP any eq 53

# Allow Web traffic

access-list dmz permit tcp host WWW-DMZ-IP any eq 80

access-list dmz permit tcp host WWW-DMZ-IP any eq 443

access-list dmz permit tcp host WWW-DMZ-IP any eq 21

# Proxy server 8080 Port

access-list dmz permit tcp host WWW-DMZ-IP any eq 8080

access-group dmz in interface dmz

# Reset NAT Translation table

clear xlate



New Member

Re: From Firewall to Web Server

Thanks for the response. The question posted was quite bit lengthy.

I have further question that the statement in the response looks like the Command Line. Is there a companion web-based (GUI) configuration? If so, does the GUI configuration comes with the PIX (506) or I have to download it?


Re: From Firewall to Web Server

Yes it is possible to do the configuration also in the PDM - PIX device manager. Which is the GUI interface. But you will not find any examples for the PDM setup of your rule set.

Connect to PDM GUI:


See documentation of PDM:

I recommend you to start using the command line, which you can access with CLI - command line interface on the Serial port 9600/8N1 or ssh or telnet.