publishing WWW server and VPN server on common outside address

gsebok · ‎12-22-2003

On my DMZ there are two servers. One services the WWW requests the other terminates the Microsoft's native VPN clients (GRE and PPTP). I have only one public address on a PIX506E (6.3.3) and there is no more! How could I manage to have on this only public address the WWW server published and to view the other server for the VPN clients on the internet?

mostiguy · ‎12-22-2003

How is the GRE/PPTP being forwarded to the server? Is there a static statement for an ip? Is that ip the ip used by the outside interface?

scoclayton · ‎12-22-2003

Hi,

Unfortunately, this is not going to be possible, We are able to share global addresses by creating translations based on the destination port. Since PPTP uses TCP as well as GRE, we cannot use this option. GRE is a seperate IP protocol that does not use "port" (layer 4) information. So therefore, if you need to translate an address for PPTP traffic, you will need to dedicate an address for this sevrer. Can we use the address assigned to your outside interface on the PIX for the WWW server? We can overload on this address if possible in your scenerio. Hope this makes sense.

Scott

gsebok · ‎12-22-2003

Yes, this was my opinion too but I would have liked to resolve this without a new address propagation at the ISP's DNS. At the moment we have only one regitstered public IP address but we have got a /29 subnet from the ISP. So I will require a new DNS record and will serve the WWW and VPN requests on different IP addresses.

thanx,

Gabor