Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 456
  • Last Modified:

Public/Private IP # DNS and Webserver on a DMZ


One of those questions thats probably dead straight forward. But i cant picture it in my mind.

I am considering the below setup:
Cisco 2600 Router
Cisco 515E UR PIX 4fe
Cobalt Webserver [] - (on DMZ2)
RedHat 8.0 BIND DNS server [] - (on DMZ2)
Redhat 8.0 SendMail server [] - (on DMZ1)

Outside Interf of - Security 0
dmz1 interface of    - Security 40
dmz2 interface of    - Security 60
Inside interfa of    - Security 100

I am unsure as to how to get all DNS requests to got to the DNS server. And then to forward thoses requests to the appropriate location. Is it just a simple task of creating a policy rule permitting DNS traffic from the Internet to the DNS server on the DMZ2 telling all web requests on domains in the DNS to go to the cobalt server on in DMZ2 and then let the cobalt server sort out which domain trafic goes to which virtual site?

I would be prepared to allocate Public Ip # on DMZ2 if you think it would be a better idea. And then just send all dns requests to the dns servers public ip on dmz2. But where would you point the domains too, as if you pointed it too the Cobalt, how does the cobalt know what to do with the request and what domain its for, does it need to be running a secondary DNS server? Its confusing.

Im sure a million people must have done this before, so you must have plenty of tips/suggestions on how to do it.

I have not got any of the equipment as of yet, so im looking at it from a theoritcal perspective.  I also need to know how many Public IP # to order, and how best to allocate them within my network.

I want to host multiple websites and my own DNS on my DMZ2 interface. I want it to work as if it was directly connected tothe internet. But without a decent helping of knowledge with regards to DNS and Cisco PIX its not easy.  (this is more a learning experience on this side of networking)

Hope someone can help

  • 2
1 Solution
Step one: You need to have the public ip address of the DNS server registered with your parent domain. Usually you can get your isp to do this for you. Let's suppose you're domain1.com - you need to tell the .com domain that you exist, and that the DNS (ns) server for that domain is at public address a.b.c.d.

Step 2: need to permit DNS traffic (tcp 53) into DMZ2 and NAT requests from a.b.c.d to This now means that when someone tries to get www.domain1.com they will not only get the correct DNS server address, but also the firewall will let their request in and NAT it to the DNS server.

Step3: on your DNS server, there must be a forward lookup zone for domain1.com. Inside that you need to create an 'a' host record for the website, with the public IP address of the Cobalt webserver. This means that when someone queries your DNS server for your webserver, the DNS server will respond with the correct address.

Step 4: config the PIX to allow incoming tcp port 80 (http) to the webserver, and configure NAT to redirect port 80 traffic detined to the public address of your webserver to go to

You need to do a similar NAT setup for any other website you want to host. You'll also need to set the pix to allow incoming smtp (tcp port 25) and set up NAT to pass the port 25 traffic to your sendmail server.

re. the PIX, cisco.com has loads and loads of documentation.


aphixAuthor Commented:

So your saying that i should have a Public IP # for the Webserver, with the A records in the DNS pointing to the public adress on for the cobalt?

I host more than one site on the same Cobalt. So in the DNS should i do the below ( could be the public ip of the cobalt server)

www.domain1.com (A) - PIX NAT's to
www.domain2.com (A) - PIX NAT's to

In the virtual sites on the Cobalt i define the sites ip#

www.domain1.com -
www.domain2.com -

If someone requests www.domain2.com in their browser, it will query the DNS, the DNS will send the request to the public Ip # of the cobalt server. The cobalt then directs them to domain2.com's site

Does it work like that, or will i need to assign each virtual site a public ip # and then define that domains A record as that public ip, and nat that through the firewall? (the later sounds wrong and messy)

Thanks for your first advice though, it was kind of what i wanted to hear, and was half expecting it :)

This can be done a couple of ways.

You could assign separate public ip's for each website, and then NAT each of them to separate private ips. This is probably the cleaner and/or safer method, since each site has it's own distinct public and private ip address (they can still be on the same webserver of course).

Some webservers support 'host headers' - I don't know if cobalt does. This allows you to send all web requests to the same webserver, and the webserver looks at the domain that the user is requesting to figure out which website to show them. This is what you have configured your PIX for above (all web sites NAT to the same address - so it's up to the webserver to figure out if they want www.domain1.com or www.domain2.com. This may or may not work - I've never used Cobalt.

If you have the public addresses to spare, you could change the DNS so that each website has an address, and then change the NAT so that each public is NAT'ed to a different private address.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now