×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Publidhing Web Server

Answered Question
May 23rd, 2008
User Badges:

I have a PIX 515e. My company wants to launch the web site which will serve Internet users as well as internal users. In my web server i have two network cards. My firewall has 3 network interface one is inside, other is outside network and the third one i want to configure as a dmz in which the webserver will reside. how should i configure my firewall to publish webserver. should i connect dmz with one network card of webserver for internet users and the other network card to connect to my local netwrok for internal users.

Correct Answer by husycisco about 9 years 2 months ago

Kashif,

Run "clear arp" and "clear xlate".

Make sure web server's default gateway is 172.16.4.1

Make sure there is no software firewall or HIPS runnin on web server. If running, then modify the exceptions scope to accept www traffic from any.

Please post your latest config with conduit added.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
husycisco Fri, 05/23/2008 - 09:38
User Badges:
  • Gold, 750 points or more

Hi Kashif

I would recommend using only 1 NIC with webserver, place it into DMZ. then create the following static rule


static (dmz,outside) publicip webserverip netmask 255.255.255.255 dns

access-list outside_access_in permit tcp any host publicip eq www

static (dmz,inside) webserverip webserverip netmask 255.255.255.255


If your domain is same with your external domain, create a host record with www in DNS and point it to webserverip not the publicip


Regards

kashifashraf Sat, 05/24/2008 - 00:23
User Badges:

Hi Huseyin


Thanks for your reply. Need to know that why

i should use this command

static (dmz,outside) publicip webserverip netmask 255.255.255.255 dns

because i just want to publish webserver so y in this we should mention dns.

other thing i want to ask shouldn't i use

conduit permit tcp host webserverip eq www any

instead of access-list because it is mentioned in cisco website that for lower security level to higher security level we should use conduit command. and to allow access for my internal user to website i should use nat & global commands.


Regards

husycisco Sat, 05/24/2008 - 06:10
User Badges:
  • Gold, 750 points or more

"dns" switch at the end enables dns doctoring for that specific entry. If you dont do dns doctoring, whenever an inside user tries to reach www.youwebsite.com, your Public address will be returned and this will create a U turn traffic which will result with a drop. In DNS doctoring, If the specified traffic is met (an inside host tries to reach www.yourwebsite.com, ) that static with DNS command will re-write the DNS query by putting the private ip of Web server in DMZ instead public IP and you will reach webserver directly. But If you have a DNS server locally that all clients pointed to that and you can create a host record for www in yourwebsite.com domain, dns doctoring wont be needed at all, but just in case, I put it there.


conduit statement is depreceated, it was used before 6.3 IOS it is no longer supported. You have to use ACLs instead. You have an IOS greater than 6.3 in PIX 515E correct ?


and for your clients located in inside interface to be able to connect dmz, second static command is necessary. It will make the webserver located in DMZ not to be translated in NAT and reached directly. You wont need further NAT&Global commands.


Regards

kashifashraf Sun, 05/25/2008 - 05:55
User Badges:

Thanks Very Much i will try this scenerio and i will inform u. Also yes my Pix515e software version is 6.3(4).


Thanks

husycisco Sun, 05/25/2008 - 07:02
User Badges:
  • Gold, 750 points or more

You are welcome kashif, looking forward to hear from you about the progress. I suggest you to upgrade your IOS to at least 6.3(5), and my recommendation is 7.2(3)


Regards

kashifashraf Fri, 05/30/2008 - 02:40
User Badges:

Dear husycisco


I have cnfigure my firewall for inbound access but in my log it shows


deny tcp src outside:ipaddress dst dmz:ipaddress/80 by access-group "inbound"


i have attached my config file.


can u please help me and tell me what mistake i am doing.


thanks





Attachment: 
husycisco Fri, 05/30/2008 - 03:31
User Badges:
  • Gold, 750 points or more

Hi Kashif,

I assume your code 6.3(4) is still running with conduits. Please add the following


no access-list inbound permit tcp any host 91.140.255.220 eq www

no access-group inbound in interface outside

conduit permit tcp host 91.140.255.220 eq www any


Regards

kashifashraf Sat, 05/31/2008 - 07:12
User Badges:

Hi

I tried these commands also but its not working still.


Also in syslog i didnt get any error message i rechecked the conectivity of my firewall to internet and its ok. i can use vpn connection from my home.


but still i cant access the website.


Correct Answer
husycisco Sat, 05/31/2008 - 09:03
User Badges:
  • Gold, 750 points or more

Kashif,

Run "clear arp" and "clear xlate".

Make sure web server's default gateway is 172.16.4.1

Make sure there is no software firewall or HIPS runnin on web server. If running, then modify the exceptions scope to accept www traffic from any.

Please post your latest config with conduit added.



kashifashraf Mon, 06/02/2008 - 04:27
User Badges:

Dear husycisco


Thank you very much for your advise . after putting the default gateway i can access my website from internet.


other thing i want to ask u how i can publish the website for internal users. before u suggest me to use static command with access-list now but my firewall ios version is 6.3 so i can use cnduit command.


so how i can publish my website for internal users.


thank u very very much for your help.


kashifashraf Mon, 06/02/2008 - 08:02
User Badges:

dear husycisco


i have change my configuration from conduit command to access-list and it is working fine also.

i think before i didnt succed becz the gateway was not configured to web server.


now i want to give access to internal users to the web site so what should i configure.


also to manage the webiste i want to give access to developers internal network so they can connect through remote desktop to web server.


thanks


husycisco Mon, 06/02/2008 - 09:21
User Badges:
  • Gold, 750 points or more

Kashif,

You are welcome :) Add the following

static (dmz,inside) webserver webserver netmask 255.255.255.255

access-list hadi line 2 permit 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit developersnetwork developersnetmask host webserver eq 3389


kashifashraf Mon, 06/02/2008 - 09:58
User Badges:

Dear husycisco


the static command was accecepted by the firewall but i wasnt able to access the website from internal user, i tried to access with the ip address.


both access-list command was not accepted by the firewall and i couldn configure it.


it seems like some parameter was missing.



husycisco Mon, 06/02/2008 - 10:19
User Badges:
  • Gold, 750 points or more

Hmm, try this

access-list hadi line 2 permit ip 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit ip developersnetwork developersnetmask host webserver eq 3389


kashifashraf Mon, 06/02/2008 - 12:34
User Badges:

I tried this also but firewall still not accepting this command.


i tried to use "any" instead of host, firewall accepted the command but i wasnt able to connect to webserver.


also i configured

static (dmz,inside) webserver webserver netmask 255.255.255.255

but still my internal users were not able to access website i check in syslog i got this error message


regular translation creation failed for tcp src inside ***ipaddress*** dst dmz webserver



husycisco Mon, 06/02/2008 - 17:45
User Badges:
  • Gold, 750 points or more

I advise BS like that when I dont get enough sleep sorry for that :) nothing exists like


access-list hadi line 2 permit ip 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit ip developersnetwork developersnetmask host webserver eq 3389



should be


access-list hadi line 2 permit tcp 200.200.200.0 255.255.255.0 host webserver eq 80

access-list hadi line 3 permit tcp developersnetwork developersnetmask host webserver eq 3389


The point here is, above ACEs should be placed before the deny any any statement you provided. Or simply remove deny statement, add above ACEs without line command then place dny any any in the end.


also try the following static

static (inside,dmz) 200.200.200.0 200.200.200.0 netmask 255.255.255.0


after entering the static command, run clear xlate that should handle regular trans crea fail. If all still the same, post your latest config and the regular translation creation failed syslog exactly with IP addresses



Actions

This Discussion