Website not available from inside PIX

I have a PIX 501 with 2 servers in it's internal network; one runs Windows 2003 Terminal Server and FTP, and the other is an Apache2.2 http server. All of these services map to the same external IP address.

The website is fine from outside the network, but I cannot view it from the terminal server even though DNS is resolving properly to the external IP, and the TS's routing table is in order (all other websites can be viewed from the TS). Tracert on the TS times out for every hop.

Does anyone know why this might be happening, and what I might do to fix it?

Relevant information: Http server Apache runs on port 81 internally, mapped to external port 80/www (another service runs on port 80).

TS/FTP The terminal server runs on nonstandard port 3390.

Here is the relevant portion of my PIX's config: PIX Version 6.3(5) access-list outside_in permit icmp any interface outside echo-reply access-list outside_in permit tcp any interface outside eq 3390 access-list outside_in permit tcp any interface outside eq ftp access-list outside_in permit tcp any interface outside eq www mtu outside 1500 mtu inside 1500 ip address outside ip address inside ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 1 0 0 static (inside,outside) tcp interface 3390 3390 netmask 0 0 static (inside,outside) tcp interface ftp ftp netmask 0 0 static (inside,outside) tcp interface www 81 netmask 0 0 access-group outside_in in interface outside conduit permit icmp any any route outside 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable
Reply to
Loading thread data ...

If you are trying to fetch the external IP address from inside the PIX it will not work. You will need to address this via your internal DNS to return the internal IP address for the web server. Other than that you can address this by placing the 'dns' keyword in the static statements in your config.

This should help, it is for the ASA as well, but applies to the pix.

formatting link

Reply to

On the inside you need to hit the server's inside address. Change your internal DNS to point to the Inside address and you should be fine. This will not affect the outside connectivity. You cant hit a server on the inside, on its outside address through a firewall. The firewall wont send traffic back through an interface it was sent from.

Reply to

Thank you.

Reply to
robert.waters Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.