How to expose multiple web sites on same internal host behind a PIX 501 firewall?

Posted on 2004-04-28
Last Modified: 2010-04-11
I'm having trouble exposing five web sites hosted on the same internal web server
with the following address mappings: -> -> -> -> ->

My PIX configuration appears at the bottom of this message.  I tested it by browsing the webserver (named staff) from another internal host (named bosung).

Here are the symptoms:

+  I can surf the Internet from bosung from inside my PIX 501 firewall.
+  I can ping each of the five sites on staff from bosung.
+  I can see all five home pages by entering into a web browser from bosung.

I pointed bosung's NIC at my internal DNS on staff for internal domain name resolution.
+  The DNS was able to resolve my primary domain name and I could web browse it.
-   I could not browse and of my other URLs, probably because they are not represented
    in my internal DNS.  

Question #1:  What kind of DNS record(s) must be added to represent the other URL's internally?

Using, I tested the five web sites from an outside host.
+  The first two responded to ping via their URL or IP address.
-   The latter three failed to respond to ping.

Question #2:  What do I have to do to get the latter three sites to respond
           to external pings the way the first two do?

DSL Connection
My PIX 501 is connected to the Internet via a DSL modem.  My ISP has assigned me:

5 static IP addresses:
subnet mask:
default gateway:
Primary DNS:
Secondary DNS:

PIX Configuration
Below is my entire configuration with debugging turned on:

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name pix_inside
name pix_outside
name staff
name kathy
name ups
name una
name bosung
name DNS
name gateway
access-list acl_out permit icmp any any
access-list acl_out permit ip any any
access-list acl_out permit tcp any host pix_outside eq www
access-list acl_out permit tcp any host eq www
access-list acl_out permit tcp any host eq www
access-list acl_out permit tcp any host eq www
access-list acl_out permit tcp any host eq domain
access-list acl_out permit udp any host eq domain
access-list acl_out permit tcp any host eq www
access-list acl_in permit ip any any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside pix_outside
ip address inside pix_inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 netmask
global (outside) 1 interface
nat (inside) 1 0 0
static (outside,inside) pix_outside netmask 0 0
static (outside,inside) netmask 0 0

static (outside,inside) netmask 0 0

static (outside,inside) netmask 0 0

static (outside,inside) netmask 0 0

access-group acl_out in interface outside
access-group acl_in in interface inside
route outside gateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:carlkelley
  • 3
  • 2

Expert Comment

ID: 10937320

If you are able to ping and browse the "external" addresses, then all you need do is add the A records to your DNS for the other aliases. Note that since you have opted for each of the home pages to have a different IP address, this requires that each of the externally visible addresses have an A record in the DNS mapping the desired name to the specified address.

So, you need do two things:

- Create the A records on your DNS server for domain names corresponding to the through addresses (you will probably create WWW.domainname.COM; save a lot of grief and also create domainname.COM so things will still work when people omit the WWW).
- Ensure the updated DNS server is at the front of your search path.
- After testing, update the DNS server(s) pointed to by the domains' registration records.

I hope that the above is helpful.

- Bob (aka RLGSC)

Author Comment

ID: 10940946

I will try your advice as soon as I can figure out how to implement it in my Windows 2000 DNS.   Currently, it only has one Forward Lookup Zone and one Reverse Lookup Zone.  The Forward Lookup Zone bears my primary domain name, the domainname.COM mapped externally to  When I try to add a host record for another domain name inside of this zone or its "_sites" sub-folder, the form will not allow me to enter any names with embedded periods.  This suggests that I have to create a new Forward Lookup Zone for each additional domainname.COM and then add the appropriate host A record for therein.  But, before I do so, I need to remove the host(A) record from the primary Forward Lookup Zone so there is no confusion.

Does it sound like I'm on the right track?
LVL 25

Expert Comment

ID: 10943219
why are do you have 5 public IPs for one server?? are all 5 IPs mapped to different NICs or is one NIC "listening" on 5 IPs???  you can host more than one website publically using only 1 IP using host headers which are pretty easy to set up... all the setup would be done on the server side and not on the firewall side which makes it alot easier to manage.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 10943550
One NIC is "listening" on 5 IPs.  I agree with your assessment host headers for ease of administration for supporting multiple web sites on the same server.  Unfortunately, search engines get riled if you submit two different domain names that have the same IP address.  They punish you for trying to fool them.

Accepted Solution

RLGSC earned 500 total points
ID: 10948225

I don't have access to my Win 2K server box at this instant, but you are essentially correct. A Zone can only have one level.
You will need a forward lookup zone for each domain name if I remember the menus correctly. On the DNS side of the house, there is no requirement that there be a single name associated with an IP address (or for that matter, a single IP address associated with a name).

The addresses in the DNS (which,  if I recall correctly, is outside the firewall) should be the series of addresses, not the intranet (192.168.a.b).

As to search engines penalizing single IPs, that would be somewhat discriminatory. Many hosting providers use virtual serving with a single IP address servicing many domains. Discounting a sites cross-links solely on that premise would penalize firms for hosting on outside services and unwittingly being on the same server. For that matter, if two companies used the same www designer, who resold hosting services, the same problem would occur.

I hope that I have been helpful.

- Bob (aka RLGSC)

Author Comment

ID: 10951149
A buddy of mine just suggested that my static commands appear to have their interfaces reversed.  Instead of:

static (outside,inside) pix_outside netmask 0 0
static (outside,inside) netmask 0 0
static (outside,inside) netmask 0 0
static (outside,inside) netmask 0 0
static (outside,inside) netmask 0 0

they should be:

static (inside, outside) pix_outside netmask 0 0
static (inside, outside) netmask 0 0
static (inside, outside) netmask 0 0
static (inside, outside) netmask 0 0
static (inside, outside) netmask 0 0

As a PIX newbee, my intuition about static command syntax appears to be wrong.  The PIX command reference says:

[no] static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns] [netmask
mask][max_conns [emb_limit [norandomseq]]]

Featured Post

Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question