Solved

How to expose multiple web sites on same internal host behind a PIX 501 firewall?

Posted on 2004-04-28
6
315 Views
Last Modified: 2010-04-11
I'm having trouble exposing five web sites hosted on the same internal web server
with the following address mappings:

   209.xxx.xxx.250 -> 192.168.1.50
   209.xxx.xxx.251 -> 192.168.1.51
   209.xxx.xxx.252 -> 192.168.1.52
   209.xxx.xxx.253 -> 192.168.1.53
   209.xxx.xxx.254 -> 192.168.1.54

My PIX configuration appears at the bottom of this message.  I tested it by browsing the webserver (named staff) from another internal host (named bosung).

Here are the symptoms:

+  I can surf the Internet from bosung from inside my PIX 501 firewall.
+  I can ping each of the five 192.168.1.5x sites on staff from bosung.
+  I can see all five home pages by entering 192.168.1.5x into a web browser from bosung.

I pointed bosung's NIC at my internal DNS on staff for internal domain name resolution.
+  The DNS was able to resolve my primary domain name and I could web browse it.
-   I could not browse and of my other URLs, probably because they are not represented
    in my internal DNS.  

Question #1:  What kind of DNS record(s) must be added to represent the other URL's internally?

Using www.fifi.org/services/ping, I tested the five web sites from an outside host.
+  The first two responded to ping via their URL or IP address.
-   The latter three failed to respond to ping.

Question #2:  What do I have to do to get the latter three sites to respond
           to external pings the way the first two do?


DSL Connection
------------------
My PIX 501 is connected to the Internet via a DSL modem.  My ISP has assigned me:

5 static IP addresses: 209.xxx.xxx.250-209.xxx.xxx.254
subnet mask: 255.255.255.248
default gateway: 209.xxx.xxx.249
Primary DNS: 206.13.28.12
Secondary DNS: 206.13.31.12


PIX Configuration
--------------------
Below is my entire configuration with debugging turned on:

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.10 staff
name 192.168.1.100 kathy
name 192.168.1.105 ups
name 192.168.1.200 una
name 192.168.1.210 bosung
name 206.13.28.12 DNS
name 209.xxx.xxx.249 gateway
access-list acl_out permit icmp any any
access-list acl_out permit ip any any
access-list acl_out permit tcp any host pix_outside eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.252 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.253 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit udp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit tcp any host 209.xxx.xxx.254 eq www
access-list acl_in permit ip any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 209.xxx.xxx.251-209.xxx.xxx.254 netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0

static (outside,inside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0

static (outside,inside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0

static (outside,inside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0

access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 gateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c395149b89a27c917f124883eb4fc8ee
: end
[OK]
0
Comment
Question by:carlkelley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:RLGSC
ID: 10937320
carlkelly,

If you are able to ping and browse the "external" addresses, then all you need do is add the A records to your DNS for the other aliases. Note that since you have opted for each of the home pages to have a different IP address, this requires that each of the externally visible addresses have an A record in the DNS mapping the desired name to the specified address.

So, you need do two things:

- Create the A records on your DNS server for domain names corresponding to the 209.xxx.xxx.251 through 209.xxx.xxx.254 addresses (you will probably create WWW.domainname.COM; save a lot of grief and also create domainname.COM so things will still work when people omit the WWW).
- Ensure the updated DNS server is at the front of your search path.
- After testing, update the DNS server(s) pointed to by the domains' registration records.

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 

Author Comment

by:carlkelley
ID: 10940946
Bob,

I will try your advice as soon as I can figure out how to implement it in my Windows 2000 DNS.   Currently, it only has one Forward Lookup Zone and one Reverse Lookup Zone.  The Forward Lookup Zone bears my primary domain name, the domainname.COM mapped externally to 209.xxx.xxx.251.  When I try to add a host record for another domain name inside of this zone or its "_sites" sub-folder, the form will not allow me to enter any names with embedded periods.  This suggests that I have to create a new Forward Lookup Zone for each additional domainname.COM and then add the appropriate host A record for 192.168.1.5x therein.  But, before I do so, I need to remove the 192.168.1.5x host(A) record from the primary Forward Lookup Zone so there is no confusion.

Does it sound like I'm on the right track?
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 10943219
why are do you have 5 public IPs for one server?? are all 5 IPs mapped to different NICs or is one NIC "listening" on 5 IPs???  you can host more than one website publically using only 1 IP using host headers which are pretty easy to set up... all the setup would be done on the server side and not on the firewall side which makes it alot easier to manage.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:carlkelley
ID: 10943550
One NIC is "listening" on 5 IPs.  I agree with your assessment host headers for ease of administration for supporting multiple web sites on the same server.  Unfortunately, search engines get riled if you submit two different domain names that have the same IP address.  They punish you for trying to fool them.
0
 
LVL 8

Accepted Solution

by:
RLGSC earned 500 total points
ID: 10948225
carlkelley,

I don't have access to my Win 2K server box at this instant, but you are essentially correct. A Zone can only have one level.
You will need a forward lookup zone for each domain name if I remember the menus correctly. On the DNS side of the house, there is no requirement that there be a single name associated with an IP address (or for that matter, a single IP address associated with a name).

The addresses in the DNS (which,  if I recall correctly, is outside the firewall) should be the 209.xxx.xxx.yyy series of addresses, not the intranet (192.168.a.b).

As to search engines penalizing single IPs, that would be somewhat discriminatory. Many hosting providers use virtual serving with a single IP address servicing many domains. Discounting a sites cross-links solely on that premise would penalize firms for hosting on outside services and unwittingly being on the same server. For that matter, if two companies used the same www designer, who resold hosting services, the same problem would occur.

I hope that I have been helpful.

- Bob (aka RLGSC)
0
 

Author Comment

by:carlkelley
ID: 10951149
A buddy of mine just suggested that my static commands appear to have their interfaces reversed.  Instead of:

static (outside,inside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0

they should be:

static (inside, outside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0

As a PIX newbee, my intuition about static command syntax appears to be wrong.  The PIX command reference says:

[no] static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns] [netmask
mask][max_conns [emb_limit [norandomseq]]]
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question