topic Re: Publidhing Web Server in Network Security

Publidhing Web Server

kashifashraf — Mon, 11 Mar 2019 12:49:10 GMT

I have a PIX 515e. My company wants to launch the web site which will serve Internet users as well as internal users. In my web server i have two network cards. My firewall has 3 network interface one is inside, other is outside network and the third one i want to configure as a dmz in which the webserver will reside. how should i configure my firewall to publish webserver. should i connect dmz with one network card of webserver for internet users and the other network card to connect to my local netwrok for internal users.

Re: Publidhing Web Server

Alan Huseyin Kayahan — Fri, 23 May 2008 16:38:09 GMT

Hi Kashif

I would recommend using only 1 NIC with webserver, place it into DMZ. then create the following static rule

static (dmz,outside) publicip webserverip netmask 255.255.255.255 dns

access-list outside_access_in permit tcp any host publicip eq www

static (dmz,inside) webserverip webserverip netmask 255.255.255.255

If your domain is same with your external domain, create a host record with www in DNS and point it to webserverip not the publicip

Regards

Re: Publidhing Web Server

kashifashraf — Sat, 24 May 2008 07:23:45 GMT

Hi Huseyin

Thanks for your reply. Need to know that why

i should use this command

static (dmz,outside) publicip webserverip netmask 255.255.255.255 dns

because i just want to publish webserver so y in this we should mention dns.

other thing i want to ask shouldn't i use

conduit permit tcp host webserverip eq www any

instead of access-list because it is mentioned in cisco website that for lower security level to higher security level we should use conduit command. and to allow access for my internal user to website i should use nat & global commands.

Regards

Re: Publidhing Web Server

Alan Huseyin Kayahan — Sat, 24 May 2008 13:10:48 GMT

"dns" switch at the end enables dns doctoring for that specific entry. If you dont do dns doctoring, whenever an inside user tries to reach www.youwebsite.com, your Public address will be returned and this will create a U turn traffic which will result with a drop. In DNS doctoring, If the specified traffic is met (an inside host tries to reach www.yourwebsite.com, ) that static with DNS command will re-write the DNS query by putting the private ip of Web server in DMZ instead public IP and you will reach webserver directly. But If you have a DNS server locally that all clients pointed to that and you can create a host record for www in yourwebsite.com domain, dns doctoring wont be needed at all, but just in case, I put it there.

conduit statement is depreceated, it was used before 6.3 IOS it is no longer supported. You have to use ACLs instead. You have an IOS greater than 6.3 in PIX 515E correct ?

and for your clients located in inside interface to be able to connect dmz, second static command is necessary. It will make the webserver located in DMZ not to be translated in NAT and reached directly. You wont need further NAT&Global commands.

Regards

Re: Publidhing Web Server

kashifashraf — Sun, 25 May 2008 12:55:11 GMT

Thanks Very Much i will try this scenerio and i will inform u. Also yes my Pix515e software version is 6.3(4).

Thanks

Re: Publidhing Web Server

Alan Huseyin Kayahan — Sun, 25 May 2008 14:02:54 GMT

You are welcome kashif, looking forward to hear from you about the progress. I suggest you to upgrade your IOS to at least 6.3(5), and my recommendation is 7.2(3)

Regards

Re: Publidhing Web Server

kashifashraf — Fri, 30 May 2008 09:40:25 GMT

Dear husycisco

I have cnfigure my firewall for inbound access but in my log it shows

deny tcp src outside:ipaddress dst dmz:ipaddress/80 by access-group "inbound"

i have attached my config file.

can u please help me and tell me what mistake i am doing.

thanks

Re: Publidhing Web Server

Alan Huseyin Kayahan — Fri, 30 May 2008 10:31:40 GMT

Hi Kashif,

I assume your code 6.3(4) is still running with conduits. Please add the following

no access-list inbound permit tcp any host 91.140.255.220 eq www

no access-group inbound in interface outside

conduit permit tcp host 91.140.255.220 eq www any

Regards

Re: Publidhing Web Server

kashifashraf — Sat, 31 May 2008 14:12:27 GMT

I tried these commands also but its not working still.

Also in syslog i didnt get any error message i rechecked the conectivity of my firewall to internet and its ok. i can use vpn connection from my home.

but still i cant access the website.

Re: Publidhing Web Server

Alan Huseyin Kayahan — Sat, 31 May 2008 16:03:21 GMT

Kashif,

Run "clear arp" and "clear xlate".

Make sure web server's default gateway is 172.16.4.1

Make sure there is no software firewall or HIPS runnin on web server. If running, then modify the exceptions scope to accept www traffic from any.

Please post your latest config with conduit added.

Re: Publidhing Web Server

kashifashraf — Mon, 02 Jun 2008 11:27:34 GMT

Dear husycisco

Thank you very much for your advise . after putting the default gateway i can access my website from internet.

other thing i want to ask u how i can publish the website for internal users. before u suggest me to use static command with access-list now but my firewall ios version is 6.3 so i can use cnduit command.

so how i can publish my website for internal users.

thank u very very much for your help.

Re: Publidhing Web Server

kashifashraf — Mon, 02 Jun 2008 15:02:28 GMT

dear husycisco

i have change my configuration from conduit command to access-list and it is working fine also.

i think before i didnt succed becz the gateway was not configured to web server.

now i want to give access to internal users to the web site so what should i configure.

also to manage the webiste i want to give access to developers internal network so they can connect through remote desktop to web server.

thanks

Re: Publidhing Web Server

Alan Huseyin Kayahan — Mon, 02 Jun 2008 16:21:18 GMT

Kashif,

You are welcome 🙂 Add the following

static (dmz,inside) webserver webserver netmask 255.255.255.255

access-list hadi line 2 permit 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit developersnetwork developersnetmask host webserver eq 3389

Re: Publidhing Web Server

kashifashraf — Mon, 02 Jun 2008 16:58:26 GMT

Dear husycisco

the static command was accecepted by the firewall but i wasnt able to access the website from internal user, i tried to access with the ip address.

both access-list command was not accepted by the firewall and i couldn configure it.

it seems like some parameter was missing.

Re: Publidhing Web Server

Alan Huseyin Kayahan — Mon, 02 Jun 2008 17:19:50 GMT

Hmm, try this

access-list hadi line 2 permit ip 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit ip developersnetwork developersnetmask host webserver eq 3389

Re: Publidhing Web Server

kashifashraf — Mon, 02 Jun 2008 19:34:00 GMT

I tried this also but firewall still not accepting this command.

i tried to use "any" instead of host, firewall accepted the command but i wasnt able to connect to webserver.

also i configured

static (dmz,inside) webserver webserver netmask 255.255.255.255

but still my internal users were not able to access website i check in syslog i got this error message

regular translation creation failed for tcp src inside ***ipaddress*** dst dmz webserver

Re: Publidhing Web Server

Alan Huseyin Kayahan — Tue, 03 Jun 2008 00:45:11 GMT

I advise BS like that when I dont get enough sleep sorry for that 🙂 nothing exists like

access-list hadi line 2 permit ip 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit ip developersnetwork developersnetmask host webserver eq 3389

should be

access-list hadi line 2 permit tcp 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit tcp developersnetwork developersnetmask host webserver eq 3389

The point here is, above ACEs should be placed before the deny any any statement you provided. Or simply remove deny statement, add above ACEs without line command then place dny any any in the end.

also try the following static

static (inside,dmz) 200.200.200.0 200.200.200.0 netmask 255.255.255.0

after entering the static command, run clear xlate that should handle regular trans crea fail. If all still the same, post your latest config and the regular translation creation failed syslog exactly with IP addresses