How to expose multiple web sites on same internal host behind a PIX 501 firewall?

Posted on 2004-04-28
Medium Priority
Last Modified: 2010-04-11
I'm having trouble exposing five web sites hosted on the same internal web server
with the following address mappings:

   209.xxx.xxx.250 ->
   209.xxx.xxx.251 ->
   209.xxx.xxx.252 ->
   209.xxx.xxx.253 ->
   209.xxx.xxx.254 ->

My PIX configuration appears at the bottom of this message.  I tested it by browsing the webserver (named staff) from another internal host (named bosung).

Here are the symptoms:

+  I can surf the Internet from bosung from inside my PIX 501 firewall.
+  I can ping each of the five sites on staff from bosung.
+  I can see all five home pages by entering into a web browser from bosung.

I pointed bosung's NIC at my internal DNS on staff for internal domain name resolution.
+  The DNS was able to resolve my primary domain name and I could web browse it.
-   I could not browse and of my other URLs, probably because they are not represented
    in my internal DNS.  

Question #1:  What kind of DNS record(s) must be added to represent the other URL's internally?

Using www.fifi.org/services/ping, I tested the five web sites from an outside host.
+  The first two responded to ping via their URL or IP address.
-   The latter three failed to respond to ping.

Question #2:  What do I have to do to get the latter three sites to respond
           to external pings the way the first two do?

DSL Connection
My PIX 501 is connected to the Internet via a DSL modem.  My ISP has assigned me:

5 static IP addresses: 209.xxx.xxx.250-209.xxx.xxx.254
subnet mask:
default gateway: 209.xxx.xxx.249
Primary DNS:
Secondary DNS:

PIX Configuration
Below is my entire configuration with debugging turned on:

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name pix_inside
name 209.xxx.xxx.250 pix_outside
name staff
name kathy
name ups
name una
name bosung
name DNS
name 209.xxx.xxx.249 gateway
access-list acl_out permit icmp any any
access-list acl_out permit ip any any
access-list acl_out permit tcp any host pix_outside eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.252 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.253 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit udp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit tcp any host 209.xxx.xxx.254 eq www
access-list acl_in permit ip any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix_outside
ip address inside pix_inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 209.xxx.xxx.251-209.xxx.xxx.254 netmask
global (outside) 1 interface
nat (inside) 1 0 0
static (outside,inside) pix_outside netmask 0 0
static (outside,inside) 209.xxx.xxx.251 netmask 0 0

static (outside,inside) 209.xxx.xxx.252 netmask 0 0

static (outside,inside) 209.xxx.xxx.253 netmask 0 0

static (outside,inside) 209.xxx.xxx.254 netmask 0 0

access-group acl_out in interface outside
access-group acl_in in interface inside
route outside gateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:carlkelley
  • 3
  • 2

Expert Comment

ID: 10937320

If you are able to ping and browse the "external" addresses, then all you need do is add the A records to your DNS for the other aliases. Note that since you have opted for each of the home pages to have a different IP address, this requires that each of the externally visible addresses have an A record in the DNS mapping the desired name to the specified address.

So, you need do two things:

- Create the A records on your DNS server for domain names corresponding to the 209.xxx.xxx.251 through 209.xxx.xxx.254 addresses (you will probably create WWW.domainname.COM; save a lot of grief and also create domainname.COM so things will still work when people omit the WWW).
- Ensure the updated DNS server is at the front of your search path.
- After testing, update the DNS server(s) pointed to by the domains' registration records.

I hope that the above is helpful.

- Bob (aka RLGSC)

Author Comment

ID: 10940946

I will try your advice as soon as I can figure out how to implement it in my Windows 2000 DNS.   Currently, it only has one Forward Lookup Zone and one Reverse Lookup Zone.  The Forward Lookup Zone bears my primary domain name, the domainname.COM mapped externally to 209.xxx.xxx.251.  When I try to add a host record for another domain name inside of this zone or its "_sites" sub-folder, the form will not allow me to enter any names with embedded periods.  This suggests that I have to create a new Forward Lookup Zone for each additional domainname.COM and then add the appropriate host A record for therein.  But, before I do so, I need to remove the host(A) record from the primary Forward Lookup Zone so there is no confusion.

Does it sound like I'm on the right track?
LVL 25

Expert Comment

ID: 10943219
why are do you have 5 public IPs for one server?? are all 5 IPs mapped to different NICs or is one NIC "listening" on 5 IPs???  you can host more than one website publically using only 1 IP using host headers which are pretty easy to set up... all the setup would be done on the server side and not on the firewall side which makes it alot easier to manage.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


Author Comment

ID: 10943550
One NIC is "listening" on 5 IPs.  I agree with your assessment host headers for ease of administration for supporting multiple web sites on the same server.  Unfortunately, search engines get riled if you submit two different domain names that have the same IP address.  They punish you for trying to fool them.

Accepted Solution

RLGSC earned 1500 total points
ID: 10948225

I don't have access to my Win 2K server box at this instant, but you are essentially correct. A Zone can only have one level.
You will need a forward lookup zone for each domain name if I remember the menus correctly. On the DNS side of the house, there is no requirement that there be a single name associated with an IP address (or for that matter, a single IP address associated with a name).

The addresses in the DNS (which,  if I recall correctly, is outside the firewall) should be the 209.xxx.xxx.yyy series of addresses, not the intranet (192.168.a.b).

As to search engines penalizing single IPs, that would be somewhat discriminatory. Many hosting providers use virtual serving with a single IP address servicing many domains. Discounting a sites cross-links solely on that premise would penalize firms for hosting on outside services and unwittingly being on the same server. For that matter, if two companies used the same www designer, who resold hosting services, the same problem would occur.

I hope that I have been helpful.

- Bob (aka RLGSC)

Author Comment

ID: 10951149
A buddy of mine just suggested that my static commands appear to have their interfaces reversed.  Instead of:

static (outside,inside) pix_outside netmask 0 0
static (outside,inside) 209.xxx.xxx.251 netmask 0 0
static (outside,inside) 209.xxx.xxx.252 netmask 0 0
static (outside,inside) 209.xxx.xxx.253 netmask 0 0
static (outside,inside) 209.xxx.xxx.254 netmask 0 0

they should be:

static (inside, outside) pix_outside netmask 0 0
static (inside, outside) 209.xxx.xxx.251 netmask 0 0
static (inside, outside) 209.xxx.xxx.252 netmask 0 0
static (inside, outside) 209.xxx.xxx.253 netmask 0 0
static (inside, outside) 209.xxx.xxx.254 netmask 0 0

As a PIX newbee, my intuition about static command syntax appears to be wrong.  The PIX command reference says:

[no] static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns] [netmask
mask][max_conns [emb_limit [norandomseq]]]

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question