Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 505
  • Last Modified:

Setting up a webserver - Router>PIX>LAN>Webserver

I've just had broadband with static ip installed and want to setup a webserver/ftp/vpn access. However when i type the static ip address on my browser, it always points to the broadband router's login. Is there a way where the webserver can pick up the http requests? I have read that NAT/PAT or Routing might have something to do with this but i'm having dificulty setting this up.

My LAN setup is the following,

INTERNET >> BROADBAND ROUTER >> CISCO PIX >> LAN >> WEBSERVER WITH CITRIX NFUSE

I'm a newbie on networking so any help is appreciated :)
0
m0ley
Asked:
m0ley
  • 6
  • 3
  • 2
1 Solution
 
stevenlewisCommented:
you  will need to forward the correct ports to the server
>BROADBAND ROUTER what make and model?
you will also have to open those ports on the Cisco, and forward the ports there
0
 
m0leyAuthor Commented:
The modem is an Etec USB ADSL Modem Router - Integrated 4 Port Fast Ethernet Hub. Specs can be view from the link below.

http://myahead.com/go/look/product.show_product?v_id=2893
0
 
m0leyAuthor Commented:
The modem is an Etec USB ADSL Modem Router - Integrated 4 Port Fast Ethernet Hub. Specs can be view from the link below.

http://myahead.com/go/look/product.show_product?v_id=2893
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
stevenlewisCommented:
OK, I'm not familiar with that make.model, so you will have to read the manual on how to forward the ports
I suggest using a static internal ip for the server (makes forwarding the ports easier)
you will need to forward port 80 (http)
and 21 (ftp) and the vpn ports (depending on which vpn solution you use
see here
http://www.techimo.com/forum/t24181.html
0
 
lrmooreCommented:
> I suggest using a static internal ip for the server (makes forwarding the ports easier)
Don't forget he's got the PIX in the middle.
My suggestion would be to set the IP address of the PIX as the "DMZ host", and do all the static translations/port forwarding on the PIX. Also suggest turning off the NAT function of the router and let the PIX do that, too. I hope you got a book with the router, or at least a web site to find the manual.

Assuming that your static IP address is assigned to the WAN port of the router:
What is the router's inside IP address? <public, or private address/>
What is the PIX's outside IP address? <must have router's inside address as default gateway>
What is the PIX's inside IP address? <must be different from outside>
What is your default gateway on your PC? <should be PIX inside>



0
 
m0leyAuthor Commented:
Imoore,

Thank you for the advice, i will set the ip address of the pix as the "DMZ host" and disable NAT function of the router. How do i turn NAT on using the Pix? At the moment it is set as "NAT 0.0.0.0 0.0.0.0 0 0".

What is the router's inside IP address?
<private address>

What is the PIX's outside IP address?
<private dhcp from router>

What is the PIX's inside IP address?
<private and different from outside(Router)>

What is your default gateway on your PC?
<private dhcp from PIX>

0
 
lrmooreCommented:
On the PIX to setup nat:

global(outside) 1 interface
nat(inside) 1 0 0 0

While testing, you will need to explicitly permit ICMP back in:

access-list 101 permit icmp any any

access-group 101 in interface outside

Everything else looks good..
0
 
lrmooreCommented:
That was for outbound nat. Assuming that you want to permit access to Infuse, and that you are using https:

static(inside,outside) tcp interface 443 <inside ip> 443

Now that I think about it, since the only "real" ip address is on the router, you'll have to keep the NAT on that router, and also use nat on the PIX. In effect, you're double-natting. Unless you can set an explict route on the dsl router for the internal private network..

0
 
m0leyAuthor Commented:
Imoore,

I did'nt have any luck with setting the pix as DMZ Server. Instead i've forwarded ports 80 & 443 to the Pix. However, i'm getting no ports open when running a port scanner. If i remove the pix, it works fine. I believe the next stage is to configure the firewall and forward ports 80 & 443 to the citrix server.

I have tried manually configuring the static route but having no luck. I'd appreciate it if you could shed some light onto this issue.
0
 
m0leyAuthor Commented:
So far to date, i have managed to forward ports 80 & 443
from adsl router to citrix server. The citrix webserver works good but without protection. Afterwards i changed the tcp ports to be forwarded to the Pix 501. After plugging in the Pix , i am having difficulty forwarding ports 80 & 443 to the citrix server.

I cannot get ports 80 & 443 opened on pix 501. I am in need of desperate help and therefore have increased the points. I am willing to increase the points to 1000 on successfully opening the ports.
0
 
m0leyAuthor Commented:
ok i've managed to sort this out now, i'm gonna transfer the points to Imoore as he guided me in the right direction.

Imoore,

Is it advisable to use the following command to open up a port.

access-list 101 permit tcp any any eq www

Many thanks
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 6
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now