IIS - Want to test connectivity from web server instance in DMZ to internal network over HTTP

How does one test connectivity from a IIS web server instance in the DMZ to another web server on the internal network? The connection needs to take place over HTTP, but I'd also like to be able to ping as well.

As it stands, we can see the underlying server OS IP address trying to get through the Cisco ASA (5540), but that gets denied (obviously). What we want to do is connect over HTTP (or ping) from the IP address bound to an instance of the IIS web server.

(Forgive me if it's not called an "instance". I'm just talking about how you can bind a different IP address to different "websites" running under IIS.)

Any ideas how we can test connectivity under the alias of the website IP address on the IIS box? As if we were the website itself? I'd think it'd be doable.

Thanks in advance...
LVL 3
ArchiTech89IT Security EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Phil DavidsonCommented:
You want one Windows server in the DMZ to have connectivity via HTTP and ICMP (ping) to a server inside the firewall (on the internal network)?  Is that correct.  HTTP uses port 80.  Ping uses port 135.  You could write a PowerShell script that tests if ports are open.  You could run it on the server in the Windows server in the DMZ and the client server inside the firewall.  If you have a server on the network that is running Unix or Linux, you could install the nmap utility.  This command makes it easy to test ports.  You could also install Fiddler on a Windows server and use Putty to test ports.
ArchiTech89IT Security EngineerAuthor Commented:
Well, what I really want to know is...

How can I get traffic to source from the the website IP address (under IIS)?

So for example, the Server OS address is on perhaps one subnet, but the websites created under the IIS role on that server are on another subnet, or even on different subnets from one another. So the question becomes, how do I source test traffic from one of the websites on the server, and not the server OS IP itself? Does that make sense?

It seems to me that there's got to be an easy answer for this, but I'm not an IIS guy. But if the website sitting on the IIS server can receive destination traffic on a different IP, it seems like it should also be able to source traffic from that IP to somewhere else. That's all...
zulazenCommented:
If the server you are testing from is running server 2012 R2, you can use test-netconnection in powershell.  This will essentially allow you to "ping a port".

https://technet.microsoft.com/en-us/library/dn372891(v=wps.630).aspx
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

kevinhsiehCommented:
What exactly are you trying to test, because normally Windows will send traffic from it's main IP, or whichever interface has the best route. It would help if you describe what you expect the server to be doing, because I suspect that you think it will do things that it won't. For example, if you connect to a web site on a certain IP, and the web server needs to connect to another server for some reason, say a Windows share to serve a file, the connection that the web server makes to the Windows share has nothing to do with which web site/IP received the original request.

That said, you can route ALL traffic to a specific host through a specific interface by adding a static route.
http://serverfault.com/questions/155947/telnet-source-ip
Dan McFaddenSystems EngineerCommented:
A simple test is to use the PING command.  You can tell ping.exe what source address to use:


C:\test>ping /?

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
            [-r count] [-s count] [[-j host-list] | [-k host-list]]
            [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name

Options:
    -t             Ping the specified host until stopped.
                   To see statistics and continue - type Control-Break;
                   To stop - type Control-C.
    -a             Resolve addresses to hostnames.
    -n count       Number of echo requests to send.
    -l size        Send buffer size.
    -f             Set Don't Fragment flag in packet (IPv4-only).
    -i TTL         Time To Live.
    -v TOS         Type Of Service (IPv4-only. This setting has been deprecated
                   and has no effect on the type of service field in the IP Header).
    -r count       Record route for count hops (IPv4-only).
    -s count       Timestamp for count hops (IPv4-only).
    -j host-list   Loose source route along host-list (IPv4-only).
    -k host-list   Strict source route along host-list (IPv4-only).
    -w timeout     Timeout in milliseconds to wait for each reply.
    -R             Use routing header to test reverse route also (IPv6-only).
    -S srcaddr     Source address to use.
    -4             Force using IPv4.
    -6             Force using IPv6.

So, if your server had the following IP config:

NIC1 = 10.1.11.11/24
NIC2 = 10.2.12.12/24, 10.3.13.13/24, 10.4.14.14/24

To ping a destination IP of 10.100.101.101, the command would be:

ping -S 10.2.12.12 10.100.101.101 -n 100

Where the "-n" option is the number of pings to send.

Reference Link:  https://technet.microsoft.com/en-us/library/cc773052(v=ws.10).aspx

Dan
Dan McFaddenSystems EngineerCommented:
I would also check out nping which is utility that comes as part of the nmap tools.

Link:  nping -  http://nmap.org/nping/
Link: nmap - http://nmap.org/

nping provider very fine grain control of how you send packets.

Dan
ArchiTech89IT Security EngineerAuthor Commented:
Kevin,

It's a valid point. I'm thinking that you're right -- that I "think it will do things that it won't."

Here's the description, hopefully clearer this time:
There are applications on websites in the DMZ (the websites being on the IIS) which need to
1) further query DBs on the inside network over HTTP, and
2) log files to servers on the inside network over HTTP (not sure how that works, but...).

I'm working on the Cisco ASA (5540) firewall. I was tasked with punching the hole for the website IP addresses themselves (there are multiple websites per IIS), but it's looking like what I really need to do is punch the hole for the underlying Windows Server OS IP address and that will take care of the rest.

On the other hand, it seems like it would be part of IIS to allow the websites themselves to source IP traffic from their respective interfaces. But it doesn't sound like that's the case...
kevinhsiehCommented:
I'm working on the Cisco ASA (5540) firewall. I was tasked with punching the hole for the website IP addresses themselves (there are multiple websites per IIS), but it's looking like what I really need to do is punch the hole for the underlying Windows Server OS IP address and that will take care of the rest.

Yeah, you just need to punch the hole for the main IP address of the OS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ArchiTech89IT Security EngineerAuthor Commented:
I sure wish I could nail down an answer as to whether the IIS can source traffic from specific website IP addresses. From my perspective it would of necessity need to do so. But what I got here is at least an answer for my needs. Thanks!
ArchiTech89IT Security EngineerAuthor Commented:
Dan,

I just wanted to thank you as well. (I had started a comment, but didn't finish it).

It helped me during the process to be able to use ping with a particular source IP address. Too bad I couldn't do both that and specify a target port. But then, with nping I'm thinking that will be possible. But at least I could see that the traffic through the firewall was actually being sourced from the IP address as I expected. It was a good test for me to be able to see. Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.