PIX 501 web server help

homeboarder8 · ‎08-03-2007

So I'm going to be running a pix 501 with two web servers. In order to make it as secure as possible I'm doing port forwarding (from a router), through the pix, to the web server. Now here is where i need help... Do I have to create ACLs for each and every port to make it secure? What is the best way to go about doing this, because I don't want to open up to much.

Thanks

hoogen_82 · ‎08-04-2007

I am not sure why you need to do it twice. Lets just say if your web server is in the Inside zone with an ip address of 192.168.1.10 and the public IP is 200.200.200.1, this is what you need to do.

!

static (inside,outside) tcp 200.200.200.1 www 192.168.1.10 www netmask 255.255.255.255

!

access-list outside_in extended permit tcp any host 200.200.200.1 eq www

!

access-group outside_in in interface outside

!

This should help you out. Do the same way for the second server.

-Hoogen

purohit_810 · ‎08-05-2007

See, One way you can implement security on WEBSERVER.

1) You must have to PATCH the server before you live it.

2) You must have to do hardning of server. (See Webserver hardning procedure.)

3) You must have password of mean .. web admin.

4) after you need access-list. USE FIXUP command to change port no than default.

Regards,

Dharmesh Purohit

purohit_810 · ‎08-05-2007

Also see for bes practice of IIS security :

http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_6_0/reference/guide/icme60sg.pdf

Page NO 90

Regards,

Dharmesh Purohit