Website not available from inside PIX

I have a PIX 501 with 2 servers in it's internal network; one runs Windows 2003 Terminal Server and FTP, and the other is an Apache2.2 http server. All of these services map to the same external IP address.

The website is fine from outside the network, but I cannot view it from the terminal server even though DNS is resolving properly to the external IP, and the TS's routing table is in order (all other websites can be viewed from the TS). Tracert on the TS times out for every hop.

Does anyone know why this might be happening, and what I might do to fix it?

Relevant information: Http server 192.168.2.3: Apache runs on port 81 internally, mapped to external port 80/www (another service runs on port 80).

TS/FTP 192.168.2.2: The terminal server runs on nonstandard port 3390.

Here is the relevant portion of my PIX's config: PIX Version 6.3(5) access-list outside_in permit icmp any interface outside echo-reply access-list outside_in permit tcp any interface outside eq 3390 access-list outside_in permit tcp any interface outside eq ftp access-list outside_in permit tcp any interface outside eq www mtu outside 1500 mtu inside 1500 ip address outside 64.xxx.xxx.218 255.255.255.248 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 3390 192.168.2.2 3390 netmask

255.255.255.255 0 0 static (inside,outside) tcp interface ftp 192.168.2.2 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www 192.168.2.3 81 netmask 255.255.255.255 0 0 access-group outside_in in interface outside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 64.xxx.xxx.217 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable
Reply to
robert.waters
Loading thread data ...

If you are trying to fetch the external IP address from inside the PIX it will not work. You will need to address this via your internal DNS to return the internal IP address for the web server. Other than that you can address this by placing the 'dns' keyword in the static statements in your config.

This should help, it is for the ASA as well, but applies to the pix.

formatting link

Reply to
Smokey

On the inside you need to hit the server's inside address. Change your internal DNS to point to the Inside address 192.168.2.3 and you should be fine. This will not affect the outside connectivity. You cant hit a server on the inside, on its outside address through a firewall. The firewall wont send traffic back through an interface it was sent from.

Reply to
jason.polce

Thank you.

Reply to
robert.waters

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.