Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
2
Replies

Web Server behind PIX

stevem
Level 1
Level 1

‎07-13-2003 07:48 AM - edited ‎02-20-2020 10:51 PM

We are looking at bringing our web hosting in-house and will be putting our site on our win2k server that is protected by a 506E. Couple of questions come to mind. Oh, if it helps our running config is on a 6.2(2) with all standard fixup protocol ports open. We do have vpn groups set up for external access.

1. Should we put the site behind the PIX or give it a public IP and have a 2nd NIC from the server connect to our router? Are there any routing conflicts if it's behind the firewall and our internal clients attempt to reach it since they'd be coming back & forth through the same interface?

2. If we put the server behind the PIX would it be better to just apply an ACL to it and tag an internal IP addres to it and just have the PIX announce it's outside interface address OR should we give it a seperate public IP address? We have a /29 with a few open addresses so it can be an option for us.

Any insight or experience is again grealy appreciated.

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎07-13-2003 05:37 PM

1. Definately put the server behind the PIX, that's what it's designed for. There can be issues with your internal clients trying to get to if they use it's name and the name resolves to the public IP address rather than the actual internal IP address, but the PIX has "dns" option on the static command just to get around that: See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026694 for details.

2. Not sure what you mean by the first section, but you'd give the server an internal IP address and then set up a static translation in the PIX, people would then connect to the public address you specified in the PIX and the PIX will forward it through.

Something like the following is all you should need:

> static (inside,outside) 200.1.1.1 10.1.1.1 dns netmask 255.255.255.255

> access-list inbound permit tcp any host 200.1.1.1 eq 80

> access-list inbound permit tcp any host 200.1.1.1 eq 443 (if necessary)

> access-group inbound in interface outside

where 200.1.1.1 is the public IP address you assign to the server, and 10.1.1.1 is its actual internal IP address. People would connect to the 200.1.1.1 public address and the PIX will send this thru to 10.1.1.1

0 Helpful

stevem
Level 1
Level 1
In response to gfullage

‎07-14-2003 06:06 AM

Ahhhh, ok.

Since my outside interface on the PIX is 207.XXX.xxx.177 /29

I can give the web server 207.xxx.xxx.179 and it won't effect my acl re a vpn group coming in on .177? On top of that, then I should keep my FTP and terminal services traffic coming in on a different IP as well since I applied a static command to the web IP?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card