Solved

How to expose multiple web sites on same internal host behind a PIX 501 firewall?

Posted on 2004-04-28
6
283 Views
Last Modified: 2010-04-11
I'm having trouble exposing five web sites hosted on the same internal web server
with the following address mappings:

   209.xxx.xxx.250 -> 192.168.1.50
   209.xxx.xxx.251 -> 192.168.1.51
   209.xxx.xxx.252 -> 192.168.1.52
   209.xxx.xxx.253 -> 192.168.1.53
   209.xxx.xxx.254 -> 192.168.1.54

My PIX configuration appears at the bottom of this message.  I tested it by browsing the webserver (named staff) from another internal host (named bosung).

Here are the symptoms:

+  I can surf the Internet from bosung from inside my PIX 501 firewall.
+  I can ping each of the five 192.168.1.5x sites on staff from bosung.
+  I can see all five home pages by entering 192.168.1.5x into a web browser from bosung.

I pointed bosung's NIC at my internal DNS on staff for internal domain name resolution.
+  The DNS was able to resolve my primary domain name and I could web browse it.
-   I could not browse and of my other URLs, probably because they are not represented
    in my internal DNS.  

Question #1:  What kind of DNS record(s) must be added to represent the other URL's internally?

Using www.fifi.org/services/ping, I tested the five web sites from an outside host.
+  The first two responded to ping via their URL or IP address.
-   The latter three failed to respond to ping.

Question #2:  What do I have to do to get the latter three sites to respond
           to external pings the way the first two do?


DSL Connection
------------------
My PIX 501 is connected to the Internet via a DSL modem.  My ISP has assigned me:

5 static IP addresses: 209.xxx.xxx.250-209.xxx.xxx.254
subnet mask: 255.255.255.248
default gateway: 209.xxx.xxx.249
Primary DNS: 206.13.28.12
Secondary DNS: 206.13.31.12


PIX Configuration
--------------------
Below is my entire configuration with debugging turned on:

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.1 pix_inside
name 209.xxx.xxx.250 pix_outside
name 192.168.1.10 staff
name 192.168.1.100 kathy
name 192.168.1.105 ups
name 192.168.1.200 una
name 192.168.1.210 bosung
name 206.13.28.12 DNS
name 209.xxx.xxx.249 gateway
access-list acl_out permit icmp any any
access-list acl_out permit ip any any
access-list acl_out permit tcp any host pix_outside eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.252 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.253 eq www
access-list acl_out permit tcp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit udp any host 209.xxx.xxx.251 eq domain
access-list acl_out permit tcp any host 209.xxx.xxx.254 eq www
access-list acl_in permit ip any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix_outside 255.255.255.248
ip address inside pix_inside 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 209.xxx.xxx.251-209.xxx.xxx.254 netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0

static (outside,inside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0

static (outside,inside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0

static (outside,inside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0

access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 gateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c395149b89a27c917f124883eb4fc8ee
: end
[OK]
0
Comment
Question by:carlkelley
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:RLGSC
ID: 10937320
carlkelly,

If you are able to ping and browse the "external" addresses, then all you need do is add the A records to your DNS for the other aliases. Note that since you have opted for each of the home pages to have a different IP address, this requires that each of the externally visible addresses have an A record in the DNS mapping the desired name to the specified address.

So, you need do two things:

- Create the A records on your DNS server for domain names corresponding to the 209.xxx.xxx.251 through 209.xxx.xxx.254 addresses (you will probably create WWW.domainname.COM; save a lot of grief and also create domainname.COM so things will still work when people omit the WWW).
- Ensure the updated DNS server is at the front of your search path.
- After testing, update the DNS server(s) pointed to by the domains' registration records.

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 

Author Comment

by:carlkelley
ID: 10940946
Bob,

I will try your advice as soon as I can figure out how to implement it in my Windows 2000 DNS.   Currently, it only has one Forward Lookup Zone and one Reverse Lookup Zone.  The Forward Lookup Zone bears my primary domain name, the domainname.COM mapped externally to 209.xxx.xxx.251.  When I try to add a host record for another domain name inside of this zone or its "_sites" sub-folder, the form will not allow me to enter any names with embedded periods.  This suggests that I have to create a new Forward Lookup Zone for each additional domainname.COM and then add the appropriate host A record for 192.168.1.5x therein.  But, before I do so, I need to remove the 192.168.1.5x host(A) record from the primary Forward Lookup Zone so there is no confusion.

Does it sound like I'm on the right track?
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 10943219
why are do you have 5 public IPs for one server?? are all 5 IPs mapped to different NICs or is one NIC "listening" on 5 IPs???  you can host more than one website publically using only 1 IP using host headers which are pretty easy to set up... all the setup would be done on the server side and not on the firewall side which makes it alot easier to manage.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 

Author Comment

by:carlkelley
ID: 10943550
One NIC is "listening" on 5 IPs.  I agree with your assessment host headers for ease of administration for supporting multiple web sites on the same server.  Unfortunately, search engines get riled if you submit two different domain names that have the same IP address.  They punish you for trying to fool them.
0
 
LVL 8

Accepted Solution

by:
RLGSC earned 500 total points
ID: 10948225
carlkelley,

I don't have access to my Win 2K server box at this instant, but you are essentially correct. A Zone can only have one level.
You will need a forward lookup zone for each domain name if I remember the menus correctly. On the DNS side of the house, there is no requirement that there be a single name associated with an IP address (or for that matter, a single IP address associated with a name).

The addresses in the DNS (which,  if I recall correctly, is outside the firewall) should be the 209.xxx.xxx.yyy series of addresses, not the intranet (192.168.a.b).

As to search engines penalizing single IPs, that would be somewhat discriminatory. Many hosting providers use virtual serving with a single IP address servicing many domains. Discounting a sites cross-links solely on that premise would penalize firms for hosting on outside services and unwittingly being on the same server. For that matter, if two companies used the same www designer, who resold hosting services, the same problem would occur.

I hope that I have been helpful.

- Bob (aka RLGSC)
0
 

Author Comment

by:carlkelley
ID: 10951149
A buddy of mine just suggested that my static commands appear to have their interfaces reversed.  Instead of:

static (outside,inside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (outside,inside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0

they should be:

static (inside, outside) pix_outside 192.168.1.50 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.251 192.168.1.51 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.252 192.168.1.52 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.253 192.168.1.53 netmask 255.255.255.255 0 0
static (inside, outside) 209.xxx.xxx.254 192.168.1.54 netmask 255.255.255.255 0 0

As a PIX newbee, my intuition about static command syntax appears to be wrong.  The PIX command reference says:

[no] static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns] [netmask
mask][max_conns [emb_limit [norandomseq]]]
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now