• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 404
  • Last Modified:

Multiple web sites with one router

I have two machines with private addresses hosting web sites behind one public IP address. One is a company site(IIS4 port80) and the other experimental(IIS5 port81) that crashes 3-4 times a day, so I don't want to move either site to the other machine and let IIS read a header. The experimental machine is being run on port 81 and this is a problem with some clients IT dept's won't allow access.

1. Is there a single router that will allow multiple-NAT translation so both machines can run on port 80 through one router? (I.e., will the Cisco 806 do this??)

-or-

2. Would assigning a second public address help (we have 4 according to our ISP)? I know both would not run behind the router/firewall (current problem), only the coporate site. So would that mean Internet-Switch-Router/firewall-server for the corporate and Internet-Switch-Server for the experimental(port81) skipping the firewall?

3. How quickly do you think hackers will trash the thing if just sitting on an direct address to the internet? It is IIS.

Regards,
Mike
0
MDOwens
Asked:
MDOwens
1 Solution
 
pjknibbsCommented:
We do run multiple web sites on a single IP address at my office, but we do it on a single IIS server--basically the IIS server looks at the HTTP header to see which site is being accessed to determine which pages to serve. I don't think this would work across two PCs, though, and I've never heard of ANY device which would translate a single IP address into two internal IP addresses--how would it know which machine the packet was intended for, for a start?

I would go for the second external IP address. What makes you think you can't run two external IP addresses to two internal machines via a firewall/router combo, out of interest? On our system we have at least four different machines on the internal network which are presented as four different external IP addresses, all handled by the firewall.

As for hackers and IIS--most IIS exploits rely on the standard HTTP port 80 anyway, and since that has to open to the world for IIS to work it's not likely to get hacked any faster when directly attached PROVIDED you close down all ports other than 80. This would mean not having any Windows shares open on the machine, which might cause you problems with your development.
0
 
redenCommented:
it is more logical to assign another public ip address to the router and have it translated for the private ip address of the server
0
 
ZookCommented:
1.

I never tried it, but as I understand "Squid" Proxy can do this. It uses the URL transmitted by the browser to distinguish transparently.

Keyword "accelerator proxy"

Check out http://www.squid-cache.org/.

Squid is often run on Linux, but they seem to have a Windows version.

2.
Sorry, I don't get the question :-(

3. If you run a Linux Box as a Firewall and as the squid proxy, this might improve your protection quite a bit.

cu
Zook
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
scraig84Commented:
First off, many NAT routers will allow translations for multiple external addresses, so your box would not necessarily have to sit outside with a real address.  This just depends on the router doing the translations.

However, if you were to stick with a single address, why not run the server on a different well known port that most IT organizations do allow?  As long as you are not also running those services on the same machine, it should be fine.  For example, most organizations allow ports 21 and 443.  As long as you don't run an FTP server or SSL web site on that machine you could use one of those.  

Also, if you know your way around IIS pretty well, you can set up some "dummy" sites on the current box that simply redirect users to the other port.  This way, people won't have to type anything different in their browser.  For example, if your site is www.abc.com, you could set up a site on your current "live" box and rather than giving it a home directory, you say tell it to redirect to http://www.abc.com:21.  This way the user types in a generic URL and get's redirected automatically.  Remember also when you host a site on a different port you often have to include the port in links on your site.

Hope that helps a bit.
0
 
MDOwensAuthor Commented:
"pjknibbs - What makes you think you can't run two external IP addresses to two internal machines via a firewall/router combo"
-We apparently have a low-end router/firewall that only provides a NAT for one machine. I talked with the company and that is a limitation.

"scraig84 - most organizations allow ports 21 and 443"
-I like the idea of running the site on one of these ports. I'll give this a try this morning. Don't know if I can get a response from our clients immediately or not.

"Zook - If you run a Linux Box as a Firewall and as the squid proxy"
-I've only been able to spend 2 days on a Linux box trying to get Samba to be seen on the network and had no luck. I love the idea of running a Linux box for this purpose, but I have little to no knowledge about it.


With the idea of the router translating multiple public IP addresses, can anyone suggest a particular product or what to look for in a router with this capability?

Regards,
Mike
0
 
scraig84Commented:
A router typically won't do it.  However, a proxy often will.  Even Microsofts Proxy 2.0 or ISA server should be able to do this in a reverse Proxy scenario.  However, although I know those products well, I am not a big supporter of them.
0
 
MDOwensAuthor Commented:
"pjknibbs - What makes you think you can't run two external IP addresses to two internal machines via a firewall/router combo"
-We apparently have a low-end router/firewall that only provides a NAT for one machine. I talked with the company and that is a limitation.

"scraig84 - most organizations allow ports 21 and 443"
-I like the idea of running the site on one of these ports. I'll give this a try this morning. Don't know if I can get a response from our clients immediately or not.

"Zook - If you run a Linux Box as a Firewall and as the squid proxy"
-I've only been able to spend 2 days on a Linux box trying to get Samba to be seen on the network and had no luck. I love the idea of running a Linux box for this purpose, but I have little to no knowledge about it.


With the idea of the router translating multiple public IP addresses, can anyone suggest a particular product or what to look for in a router with this capability?

Regards,
Mike
0
 
scraig84Commented:
I apologize - I misunderstood your question.  I was thinking that you were referring to a router that could forward based on the host-header name.  Linksys makes some decent low end routers and I believe they allow for multiple external IP addresses.  Also, the Cisco 800 series will definitely do it and is their lowest-end model with that capability.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now