I have a PIX 501 with 2 servers in it's internal network; one runs Windows 2003 Terminal Server and FTP, and the other is an Apache2.2 http server. All of these services map to the same external IP address.
The website is fine from outside the network, but I cannot view it from the terminal server even though DNS is resolving properly to the external IP, and the TS's routing table is in order (all other websites can be viewed from the TS). Tracert on the TS times out for every hop.
Does anyone know why this might be happening, and what I might do to fix it?
Relevant information: Http server 192.168.2.3: Apache runs on port 81 internally, mapped to external port 80/www (another service runs on port 80).
TS/FTP 192.168.2.2: The terminal server runs on nonstandard port 3390.
Here is the relevant portion of my PIX's config: PIX Version 6.3(5) access-list outside_in permit icmp any interface outside echo-reply access-list outside_in permit tcp any interface outside eq 3390 access-list outside_in permit tcp any interface outside eq ftp access-list outside_in permit tcp any interface outside eq www mtu outside 1500 mtu inside 1500 ip address outside 64.xxx.xxx.218 255.255.255.248 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 3390 192.168.2.2 3390 netmask
255.255.255.255 0 0 static (inside,outside) tcp interface ftp 192.168.2.2 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www 192.168.2.3 81 netmask 255.255.255.255 0 0 access-group outside_in in interface outside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 64.xxx.xxx.217 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable