I have a Cisco PIX 506 (v6.3) on a very simple, small office network. I've managed to get the email server to work fine behind the pix, and even got VPN to work, as well as NAT for inside workstations to access the internet. For now I have a web server in front of the PIX, and it can sucessfully connect to a SQL server behind the PIX. Obviously, I really need to get this webserver behind the PIX, but I can't find whats wrong. Any help would be greatly appreciated. Here is a fragment of our config (prefix IPs ommitted):
interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable access-list 100 permit tcp any host X.Y.78.211 eq smtp access-list 100 permit tcp any host X.Y.78.211 eq pop3 access-list 100 permit tcp any host X.Y.78.212 eq 1433 access-list 100 permit tcp any host X.Y.78.210 eq www access-list 101 permit ip 10.10.2.0 255.255.255.0 172.16.1.0
255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside X.Y.78.221 255.255.255.128 ip address inside 10.10.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 172.16.1.1-172.16.1.254 pdm history enable arp timeout 14400 global (outside) 1 X.Y.78.222 nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) X.Y.78.211 10.10.2.3 netmask 255.255.255.255 0 0 static (inside,outside) X.Y.78.212 10.10.2.4 netmask 255.255.255.255 0 0 static (inside,outside) X.Y.78.210 10.10.2.5 netmask 255.255.255.255 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 X.Y.78.129 1So basically, the X.Y.78.210 is our public webserver ip, and inside it should be 10.10.2.5. But, for some reason the webserver has no internet access when inside. It has access to the LAN, but nothing on the outside. And so naturally, nothing to point to it from the outside. The domain registrar has the domain properly pointing to that public ip, and if I place the web server outside from the PIX, it works great.
Any ideas? Comments? I'd really appreciate any input, thanks!
-J