Access Blocked on 501

[MJNSBF]

I have a pix 501 protecting my webserver and email server. Access to these servers work great....IF the user is either a)behind the firewall or b) connected to our LAN outside the firewall. No one outside our "domain" gains access. My logs show the following:

deny tcp src outside:a.b.c.d/4495 dst inside:172.110.107.20/80 by access-group "outside_access_in"

But the way I interpret my rules, I am allowing "any" network to reach through on that server. Any help would be appreciated.


PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.10.2 NAMO
name 192.168.10.80 MASTER
name 192.168.10.20 WEBSERVER
access-list outside_access_in permit tcp any host MASTER eq smtp
access-list outside_access_in permit tcp any host MASTER eq 366
access-list outside_access_in permit tcp any host MASTER eq pop3
access-list outside_access_in permit tcp any host MASTER eq 465
access-list outside_access_in permit tcp any host MASTER eq 995
access-list outside_access_in permit tcp any host MASTER eq 143
access-list outside_access_in permit tcp any host MASTER eq 993
access-list outside_access_in permit tcp any host MASTER eq 32000
access-list outside_access_in permit tcp any host MASTER eq 32001
access-list outside_access_in permit tcp any host WEBSERVER eq www
pager lines 24
logging on
logging buffered warnings
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 172.110.107.250 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location NAMO 255.255.255.255 inside
pdm location MASTER 255.255.255.255 inside
pdm location WEBSERVER 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 172.110.107.80 MASTER netmask 255.255.255.255 0 0
static (inside,outside) 172.110.107.20 WEBSERVER netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.149.107.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.110.107.0 255.255.255.0 outside
http NAMO 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80

 

[MJNSBF]

I'm sorry....I typed the log message incorrectly....I am having double vision today. The message was for a diff destination address/port, which should be blocked. The logs show nothing with regards to the .20 webserver, and blocking any access.

 

[MJNSBF]

ok - I had my webserver connected directly to the pix (the 4 port integrated switch). When I placed a switch between the pix and the webserver (connecting the webserver to the new switch), things started working. Any ideas why? I thought the Pix switch should work. Now, I tried to connect my mail server to the switch, and it didn't work. Ah yet another troubleshooting day...........