Public/Private IP # DNS and Webserver on a DMZ

Posted on 2003-03-13
Medium Priority
Last Modified: 2010-03-19

One of those questions thats probably dead straight forward. But i cant picture it in my mind.

I am considering the below setup:
Cisco 2600 Router
Cisco 515E UR PIX 4fe
Cobalt Webserver [] - (on DMZ2)
RedHat 8.0 BIND DNS server [] - (on DMZ2)
Redhat 8.0 SendMail server [] - (on DMZ1)

Outside Interf of - Security 0
dmz1 interface of    - Security 40
dmz2 interface of    - Security 60
Inside interfa of    - Security 100

I am unsure as to how to get all DNS requests to got to the DNS server. And then to forward thoses requests to the appropriate location. Is it just a simple task of creating a policy rule permitting DNS traffic from the Internet to the DNS server on the DMZ2 telling all web requests on domains in the DNS to go to the cobalt server on in DMZ2 and then let the cobalt server sort out which domain trafic goes to which virtual site?

I would be prepared to allocate Public Ip # on DMZ2 if you think it would be a better idea. And then just send all dns requests to the dns servers public ip on dmz2. But where would you point the domains too, as if you pointed it too the Cobalt, how does the cobalt know what to do with the request and what domain its for, does it need to be running a secondary DNS server? Its confusing.

Im sure a million people must have done this before, so you must have plenty of tips/suggestions on how to do it.

I have not got any of the equipment as of yet, so im looking at it from a theoritcal perspective.  I also need to know how many Public IP # to order, and how best to allocate them within my network.

I want to host multiple websites and my own DNS on my DMZ2 interface. I want it to work as if it was directly connected tothe internet. But without a decent helping of knowledge with regards to DNS and Cisco PIX its not easy.  (this is more a learning experience on this side of networking)

Hope someone can help

Question by:aphix
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 16

Accepted Solution

JammyPak earned 500 total points
ID: 8131448
Step one: You need to have the public ip address of the DNS server registered with your parent domain. Usually you can get your isp to do this for you. Let's suppose you're domain1.com - you need to tell the .com domain that you exist, and that the DNS (ns) server for that domain is at public address a.b.c.d.

Step 2: need to permit DNS traffic (tcp 53) into DMZ2 and NAT requests from a.b.c.d to This now means that when someone tries to get www.domain1.com they will not only get the correct DNS server address, but also the firewall will let their request in and NAT it to the DNS server.

Step3: on your DNS server, there must be a forward lookup zone for domain1.com. Inside that you need to create an 'a' host record for the website, with the public IP address of the Cobalt webserver. This means that when someone queries your DNS server for your webserver, the DNS server will respond with the correct address.

Step 4: config the PIX to allow incoming tcp port 80 (http) to the webserver, and configure NAT to redirect port 80 traffic detined to the public address of your webserver to go to

You need to do a similar NAT setup for any other website you want to host. You'll also need to set the pix to allow incoming smtp (tcp port 25) and set up NAT to pass the port 25 traffic to your sendmail server.

re. the PIX, cisco.com has loads and loads of documentation.



Author Comment

ID: 8132822

So your saying that i should have a Public IP # for the Webserver, with the A records in the DNS pointing to the public adress on for the cobalt?

I host more than one site on the same Cobalt. So in the DNS should i do the below ( could be the public ip of the cobalt server)

www.domain1.com (A) - PIX NAT's to
www.domain2.com (A) - PIX NAT's to

In the virtual sites on the Cobalt i define the sites ip#

www.domain1.com -
www.domain2.com -

If someone requests www.domain2.com in their browser, it will query the DNS, the DNS will send the request to the public Ip # of the cobalt server. The cobalt then directs them to domain2.com's site

Does it work like that, or will i need to assign each virtual site a public ip # and then define that domains A record as that public ip, and nat that through the firewall? (the later sounds wrong and messy)

Thanks for your first advice though, it was kind of what i wanted to hear, and was half expecting it :)

LVL 16

Expert Comment

ID: 8136235
This can be done a couple of ways.

You could assign separate public ip's for each website, and then NAT each of them to separate private ips. This is probably the cleaner and/or safer method, since each site has it's own distinct public and private ip address (they can still be on the same webserver of course).

Some webservers support 'host headers' - I don't know if cobalt does. This allows you to send all web requests to the same webserver, and the webserver looks at the domain that the user is requesting to figure out which website to show them. This is what you have configured your PIX for above (all web sites NAT to the same address - so it's up to the webserver to figure out if they want www.domain1.com or www.domain2.com. This may or may not work - I've never used Cobalt.

If you have the public addresses to spare, you could change the DNS so that each website has an address, and then change the NAT so that each public is NAT'ed to a different private address.


Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question