carlkelley
asked on
How to expose multiple web sites on same internal host behind a PIX 501 firewall?
I'm having trouble exposing five web sites hosted on the same internal web server
with the following address mappings:
209.xxx.xxx.250 -> 192.168.1.50
209.xxx.xxx.251 -> 192.168.1.51
209.xxx.xxx.252 -> 192.168.1.52
209.xxx.xxx.253 -> 192.168.1.53
209.xxx.xxx.254 -> 192.168.1.54
My PIX configuration appears at the bottom of this message. I tested it by browsing the webserver (named staff) from another internal host (named bosung).
Here are the symptoms:
+ I can surf the Internet from bosung from inside my PIX 501 firewall.
+ I can ping each of the five 192.168.1.5x sites on staff from bosung.
+ I can see all five home pages by entering 192.168.1.5x into a web browser from bosung.
I pointed bosung's NIC at my internal DNS on staff for internal domain name resolution.
+ The DNS was able to resolve my primary domain name and I could web browse it.
- I could not browse and of my other URLs, probably because they are not represented
in my internal DNS.
Question #1: What kind of DNS record(s) must be added to represent the other URL's internally?
Using www.fifi.org/services/ping, I tested the five web sites from an outside host.
+ The first two responded to ping via their URL or IP address.
- The latter three failed to respond to ping.
Question #2: What do I have to do to get the latter three sites to respond
to external pings the way the first two do?
DSL Connection
------------------
My PIX 501 is connected to the Internet via a DSL modem. My ISP has assigned me:
5 static IP addresses: 209.xxx.xxx.250-209.xxx.xx
subnet mask: 255.255.255.248
default gateway: 209.xxx.xxx.249
Primary DNS: 206.13.28.12
Secondary DNS: 206.13.31.12
PIX Configuration
--------------------
Below is my entire configuration with debugging turned on:
PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.10 staff
name 192.168.1.100 kathy
name 192.168.1.105 ups
name 192.168.1.200 una
name 192.168.1.210 bosung
name 206.13.28.12 DNS
name 209.xxx.xxx.249 gateway
access-list acl_out permit icmp any any
access-list acl_out permit ip any any
access-list acl_out permit tcp any host pix_outside eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.252 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.253 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit udp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit tcp any host 209.xxx.xxx.254 eq www
access-list acl_in permit ip any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 209.xxx.xxx.251-209.xxx.xx
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 gateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c395149b89a
: end
[OK]
with the following address mappings:
209.xxx.xxx.250 -> 192.168.1.50
209.xxx.xxx.251 -> 192.168.1.51
209.xxx.xxx.252 -> 192.168.1.52
209.xxx.xxx.253 -> 192.168.1.53
209.xxx.xxx.254 -> 192.168.1.54
My PIX configuration appears at the bottom of this message. I tested it by browsing the webserver (named staff) from another internal host (named bosung).
Here are the symptoms:
+ I can surf the Internet from bosung from inside my PIX 501 firewall.
+ I can ping each of the five 192.168.1.5x sites on staff from bosung.
+ I can see all five home pages by entering 192.168.1.5x into a web browser from bosung.
I pointed bosung's NIC at my internal DNS on staff for internal domain name resolution.
+ The DNS was able to resolve my primary domain name and I could web browse it.
- I could not browse and of my other URLs, probably because they are not represented
in my internal DNS.
Question #1: What kind of DNS record(s) must be added to represent the other URL's internally?
Using www.fifi.org/services/ping, I tested the five web sites from an outside host.
+ The first two responded to ping via their URL or IP address.
- The latter three failed to respond to ping.
Question #2: What do I have to do to get the latter three sites to respond
to external pings the way the first two do?
DSL Connection
------------------
My PIX 501 is connected to the Internet via a DSL modem. My ISP has assigned me:
5 static IP addresses: 209.xxx.xxx.250-209.xxx.xx
subnet mask: 255.255.255.248
default gateway: 209.xxx.xxx.249
Primary DNS: 206.13.28.12
Secondary DNS: 206.13.31.12
PIX Configuration
--------------------
Below is my entire configuration with debugging turned on:
PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.10 staff
name 192.168.1.100 kathy
name 192.168.1.105 ups
name 192.168.1.200 una
name 192.168.1.210 bosung
name 206.13.28.12 DNS
name 209.xxx.xxx.249 gateway
access-list acl_out permit icmp any any
access-list acl_out permit ip any any
access-list acl_out permit tcp any host pix_outside eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.252 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.253 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit udp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit tcp any host 209.xxx.xxx.254 eq www
access-list acl_in permit ip any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 209.xxx.xxx.251-209.xxx.xx
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 gateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c395149b89a
: end
[OK]
ASKER
Bob,
I will try your advice as soon as I can figure out how to implement it in my Windows 2000 DNS. Currently, it only has one Forward Lookup Zone and one Reverse Lookup Zone. The Forward Lookup Zone bears my primary domain name, the domainname.COM mapped externally to 209.xxx.xxx.251. When I try to add a host record for another domain name inside of this zone or its "_sites" sub-folder, the form will not allow me to enter any names with embedded periods. This suggests that I have to create a new Forward Lookup Zone for each additional domainname.COM and then add the appropriate host A record for 192.168.1.5x therein. But, before I do so, I need to remove the 192.168.1.5x host(A) record from the primary Forward Lookup Zone so there is no confusion.
Does it sound like I'm on the right track?
I will try your advice as soon as I can figure out how to implement it in my Windows 2000 DNS. Currently, it only has one Forward Lookup Zone and one Reverse Lookup Zone. The Forward Lookup Zone bears my primary domain name, the domainname.COM mapped externally to 209.xxx.xxx.251. When I try to add a host record for another domain name inside of this zone or its "_sites" sub-folder, the form will not allow me to enter any names with embedded periods. This suggests that I have to create a new Forward Lookup Zone for each additional domainname.COM and then add the appropriate host A record for 192.168.1.5x therein. But, before I do so, I need to remove the 192.168.1.5x host(A) record from the primary Forward Lookup Zone so there is no confusion.
Does it sound like I'm on the right track?
why are do you have 5 public IPs for one server?? are all 5 IPs mapped to different NICs or is one NIC "listening" on 5 IPs??? you can host more than one website publically using only 1 IP using host headers which are pretty easy to set up... all the setup would be done on the server side and not on the firewall side which makes it alot easier to manage.
ASKER
One NIC is "listening" on 5 IPs. I agree with your assessment host headers for ease of administration for supporting multiple web sites on the same server. Unfortunately, search engines get riled if you submit two different domain names that have the same IP address. They punish you for trying to fool them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A buddy of mine just suggested that my static commands appear to have their interfaces reversed. Instead of:
static (outside,inside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0
they should be:
static (inside, outside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0
As a PIX newbee, my intuition about static command syntax appears to be wrong. The PIX command reference says:
[no] static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns] [netmask
mask][max_conns [emb_limit [norandomseq]]]
static (outside,inside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0
they should be:
static (inside, outside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0
As a PIX newbee, my intuition about static command syntax appears to be wrong. The PIX command reference says:
[no] static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns] [netmask
mask][max_conns [emb_limit [norandomseq]]]
If you are able to ping and browse the "external" addresses, then all you need do is add the A records to your DNS for the other aliases. Note that since you have opted for each of the home pages to have a different IP address, this requires that each of the externally visible addresses have an A record in the DNS mapping the desired name to the specified address.
So, you need do two things:
- Create the A records on your DNS server for domain names corresponding to the 209.xxx.xxx.251 through 209.xxx.xxx.254 addresses (you will probably create WWW.domainname.COM; save a lot of grief and also create domainname.COM so things will still work when people omit the WWW).
- Ensure the updated DNS server is at the front of your search path.
- After testing, update the DNS server(s) pointed to by the domains' registration records.
I hope that the above is helpful.
- Bob (aka RLGSC)