Solved

Multiple web sites with one router

Posted on 2002-06-18
8
395 Views
Last Modified: 2012-06-21
I have two machines with private addresses hosting web sites behind one public IP address. One is a company site(IIS4 port80) and the other experimental(IIS5 port81) that crashes 3-4 times a day, so I don't want to move either site to the other machine and let IIS read a header. The experimental machine is being run on port 81 and this is a problem with some clients IT dept's won't allow access.

1. Is there a single router that will allow multiple-NAT translation so both machines can run on port 80 through one router? (I.e., will the Cisco 806 do this??)

-or-

2. Would assigning a second public address help (we have 4 according to our ISP)? I know both would not run behind the router/firewall (current problem), only the coporate site. So would that mean Internet-Switch-Router/firewall-server for the corporate and Internet-Switch-Server for the experimental(port81) skipping the firewall?

3. How quickly do you think hackers will trash the thing if just sitting on an direct address to the internet? It is IIS.

Regards,
Mike
0
Comment
Question by:MDOwens
8 Comments
 
LVL 12

Expert Comment

by:pjknibbs
Comment Utility
We do run multiple web sites on a single IP address at my office, but we do it on a single IIS server--basically the IIS server looks at the HTTP header to see which site is being accessed to determine which pages to serve. I don't think this would work across two PCs, though, and I've never heard of ANY device which would translate a single IP address into two internal IP addresses--how would it know which machine the packet was intended for, for a start?

I would go for the second external IP address. What makes you think you can't run two external IP addresses to two internal machines via a firewall/router combo, out of interest? On our system we have at least four different machines on the internal network which are presented as four different external IP addresses, all handled by the firewall.

As for hackers and IIS--most IIS exploits rely on the standard HTTP port 80 anyway, and since that has to open to the world for IIS to work it's not likely to get hacked any faster when directly attached PROVIDED you close down all ports other than 80. This would mean not having any Windows shares open on the machine, which might cause you problems with your development.
0
 
LVL 1

Expert Comment

by:reden
Comment Utility
it is more logical to assign another public ip address to the router and have it translated for the private ip address of the server
0
 
LVL 1

Expert Comment

by:Zook
Comment Utility
1.

I never tried it, but as I understand "Squid" Proxy can do this. It uses the URL transmitted by the browser to distinguish transparently.

Keyword "accelerator proxy"

Check out http://www.squid-cache.org/.

Squid is often run on Linux, but they seem to have a Windows version.

2.
Sorry, I don't get the question :-(

3. If you run a Linux Box as a Firewall and as the squid proxy, this might improve your protection quite a bit.

cu
Zook
0
 
LVL 8

Accepted Solution

by:
scraig84 earned 100 total points
Comment Utility
First off, many NAT routers will allow translations for multiple external addresses, so your box would not necessarily have to sit outside with a real address.  This just depends on the router doing the translations.

However, if you were to stick with a single address, why not run the server on a different well known port that most IT organizations do allow?  As long as you are not also running those services on the same machine, it should be fine.  For example, most organizations allow ports 21 and 443.  As long as you don't run an FTP server or SSL web site on that machine you could use one of those.  

Also, if you know your way around IIS pretty well, you can set up some "dummy" sites on the current box that simply redirect users to the other port.  This way, people won't have to type anything different in their browser.  For example, if your site is www.abc.com, you could set up a site on your current "live" box and rather than giving it a home directory, you say tell it to redirect to http://www.abc.com:21.  This way the user types in a generic URL and get's redirected automatically.  Remember also when you host a site on a different port you often have to include the port in links on your site.

Hope that helps a bit.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:MDOwens
Comment Utility
"pjknibbs - What makes you think you can't run two external IP addresses to two internal machines via a firewall/router combo"
-We apparently have a low-end router/firewall that only provides a NAT for one machine. I talked with the company and that is a limitation.

"scraig84 - most organizations allow ports 21 and 443"
-I like the idea of running the site on one of these ports. I'll give this a try this morning. Don't know if I can get a response from our clients immediately or not.

"Zook - If you run a Linux Box as a Firewall and as the squid proxy"
-I've only been able to spend 2 days on a Linux box trying to get Samba to be seen on the network and had no luck. I love the idea of running a Linux box for this purpose, but I have little to no knowledge about it.


With the idea of the router translating multiple public IP addresses, can anyone suggest a particular product or what to look for in a router with this capability?

Regards,
Mike
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
A router typically won't do it.  However, a proxy often will.  Even Microsofts Proxy 2.0 or ISA server should be able to do this in a reverse Proxy scenario.  However, although I know those products well, I am not a big supporter of them.
0
 

Author Comment

by:MDOwens
Comment Utility
"pjknibbs - What makes you think you can't run two external IP addresses to two internal machines via a firewall/router combo"
-We apparently have a low-end router/firewall that only provides a NAT for one machine. I talked with the company and that is a limitation.

"scraig84 - most organizations allow ports 21 and 443"
-I like the idea of running the site on one of these ports. I'll give this a try this morning. Don't know if I can get a response from our clients immediately or not.

"Zook - If you run a Linux Box as a Firewall and as the squid proxy"
-I've only been able to spend 2 days on a Linux box trying to get Samba to be seen on the network and had no luck. I love the idea of running a Linux box for this purpose, but I have little to no knowledge about it.


With the idea of the router translating multiple public IP addresses, can anyone suggest a particular product or what to look for in a router with this capability?

Regards,
Mike
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
I apologize - I misunderstood your question.  I was thinking that you were referring to a router that could forward based on the host-header name.  Linksys makes some decent low end routers and I believe they allow for multiple external IP addresses.  Also, the Cisco 800 series will definitely do it and is their lowest-end model with that capability.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now