static routes on pix 506e

should be:

access-list outside_access_in permit tcp any host x.x.x.x eq www

Where x.x.x.x is the IP address of the outside interface of the PIX.

HTH.

hi, ive added the access-list and reapplied the group but still no luck

heres my new config

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password passwd domain-name dh2 clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct

2:00 fixup protocol dns maximum-length 1024 no fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group service ftpservice tcp port-object eq ftp-data port-object eq ftp access-list outside_access_in permit tcp any any eq smtp access-list outside_access_in permit udp host *******host ********* eq isakmp access-list outside_access_in permit tcp any eq domain any eq domain access-list outside_access_in permit tcp any eq www interface outside eq www access-list outside_access_in permit tcp any host ********* eq www access-list inside_outbound_nat0_acl permit ip 10.35.104.0 255.255.255.0 192.168 .1.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 10.35.104.176 255.255.255.240

access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0

192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0 access-list outside_cryptomap_20 permit icmp 10.35.104.0 255.255.255.0 192.168.1 .0 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 10.35.104.176 255.255.255.240

access-list dh2remote_splitTunnelAcl permit ip 10.35.104.0

255.255.255.0 any access-list test_splitTunnelAcl permit ip any any access-list inside_cryptomap_dyn_20 permit ip any 10.35.104.176 255.255.255.240 access-list outside_cryptomap_dyn_40 permit ip any 10.35.104.176 255.255.255.240

pager lines 24 logging on logging timestamp logging buffered debugging logging trap debugging logging host inside 10.35.104.162 mtu outside 1500 mtu inside 1500 ip address outside ********** 255.255.255.240 ip address inside 10.35.104.100 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm drop reset ip audit attack action alarm drop reset ip local pool remote 10.35.104.180-10.35.104.184 pdm location 192.168.1.0 255.255.255.0 outside pdm location 10.35.104.162 255.255.255.255 inside pdm location 10.35.104.0 255.255.255.0 outside pdm location ********** 255.255.255.255 outside pdm location 10.35.104.106 255.255.255.255 inside pdm location 0.0.0.0 255.255.255.255 outside pdm location 10.35.104.193 255.255.255.255 inside pdm location ********** 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface smtp 10.35.104.106 smtp netmask

255.255.25 5.255 0 0 static (inside,outside) tcp interface www 10.35.104.106 www netmask 255.255.255. 255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ************ 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.35.104.0 255.255.255.0 inside snmp-server location crayford snmp-server contact daboss snmp-server community read no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20 crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer ********* crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map crypto map inside_map interface inside isakmp enable outside isakmp key ******** address *************** netmask 255.255.255.255 no- xauth no-co nfig-mode isakmp identity address isakmp nat-traversal 3600 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup dh2remote address-pool remote vpngroup dh2remote dns-server 194.72.6.57 10.35.104.106 vpngroup dh2remote wins-server 10.35.104.106 vpngroup dh2remote default-domain vpngroup dh2remote split-tunnel dh2remote_splitTunnelAcl vpngroup dh2remote idle-time 1800 vpngroup dh2remote password ******** vpngroup test address-pool remote vpngroup test dns-server 10.35.104.106 vpngroup test wins-server 10.35.104.106 vpngroup test default-domain vpngroup test split-tunnel test_splitTunnelAcl vpngroup test idle-time 1800 vpngroup test password ******** vpngroup accounts address-pool remote vpngroup accounts dns-server 10.35.104.106 vpngroup accounts wins-server 10.35.104.106 vpngroup accounts default-domain vpngroup accounts idle-time 1800 vpngroup accounts password ******** telnet 10.35.104.193 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 10 dhcpd address 10.35.104.170-10.35.104.185 inside dhcpd dns 10.35.104.106 194.72.6.57 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 banner login unauthorized user beware all actions are audited and logged

thanks

Alex

That is still not going to work, if you read the ACL you are permitting any IP address coming from port 80 connecting to your outside interface on port 80, this is not correct you need to have the ACl read, any IP from any port to the outside interface equal to port 80.

access-list outside_access_in permit tcp any host x.x.x.x eq www

That ACL will allow any client on the internet to come in on any port number as long as they are requesting port 80 on x.x.x.x which is your outside IP.

hi, the acl was correct the problem is that i was trying to access the url from inside the firewall. Is there a way i can allow the firewall to let me access the webpage from the inside ?

thanks for the help

Alex

Yes. What you would have to do is install PIX 7.2 on your PIX 506E. The configuration will be *completely* unsupported, but the word in the newsgroups is that you can get it to work, if you have a sufficiently small configuration and not a lot of activity on the firewall. And there's no certainty that you'd be able to back down to PIX 6 after making the attempt at PIX 7. You might have to install 7.0 as an intermediate step to get to PIX 7.2.

Personally, I wouldn't do it, but you didn't ask for recommendations, only to know whether it could be done or not. In case the above hasn't been sufficiently clear: there is no hope of doing it in PIX 6.5.

Or just install a DNS server on your local LAN, create a zone file for domain example.com, inside the zone file create an A record for

and point it to the internal IP address.

That does not satisfy the conditions set out by the original poster. The original poster did not ask how it would be possible to get access to the web site from the inside: the original poster asked how to "allow the firewall to let me access the webpage from the inside". Hence, in order for whatever solution is presented to be valid, the connection attempt most travel from the inside to the the firewall first, which would not happen with your solution.