Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

web server at inside

I have a PIX515e and need to configure a web server on the inside interface (NOT on the dmz interface!!).

I'am a absolute beginner in this firewall stuff and need a simply explanation what rules i need to make it accessable from outside. I've already read the other posts about this theme, but they didn't helped me because they don't match my configuration.

important IPs:

webserver inside:

router: x.x.x.1

DNS: from ISP

config file:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

enable password xxxx encrypted

passwd xxxx encrypted

hostname firewall

domain-name xxxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


name cem-sbs01

name cem-sbs03

name x.x.x.8 out_interface

access-list outside_access_in permit tcp any host out_interface

pager lines 24

logging on

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside out_interface

ip address inside

ip address dmz

ip audit info action alarm

ip audit attack action alarm

pdm location cem-sbs01 inside

pdm location inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

access-group outside_access_in in interface outside

route outside x.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http cem-sbs01 inside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

: end


Thank you


Re: web server at inside

Hi -

Have a read of the following document and see if this helps your situation. In this document it explains how to configure Mail Server on the inside network via PIX but you can look at this as configuring access to web server on the inside. Basically you'll require a ACL and Static for your situation.

Hope this of help :

Let me know if you need further help - Thanks, Jay


Re: web server at inside

1. You need to set up a static for the server

2. You need to edit the access-list outside_access_in to allow access to http for the ip address that you use in the static.

How many legitimate ip addresses do you have to work with?

If you have only one, for your static, you can forward just a port:

static (inside, outside) tcp interface www www netmask

You then would need to "clear xlate" (this will break all connections, and you should be good to go - your access list allows all tcp connections to the ip address of your outside interface. You might want to edit that to only allow http.

New Member

Re: web server at inside

Thank you very much!

It's now working fine......


Re: web server at inside

Hi -

Here's a example:

> pix(config)# global(outside) 1

> pix(config)# nat(inside) 1 0 0

> pix(config)# static (inside,outside)

> pix(config)# access-list PERMIT_IN permit tcp any host eq 80

> pix(config)# access-list PERMIT_IN in interface outside

Were IP (outside interface), is a outside address connecting to port 80 on inside IP

Remember to save the config with command 'write memory' and also execute command 'clear xlate' to activate the new translations.

Hope this helps - Jay.