05-23-2008 08:38 AM - edited 03-11-2019 05:49 AM
I have a PIX 515e. My company wants to launch the web site which will serve Internet users as well as internal users. In my web server i have two network cards. My firewall has 3 network interface one is inside, other is outside network and the third one i want to configure as a dmz in which the webserver will reside. how should i configure my firewall to publish webserver. should i connect dmz with one network card of webserver for internet users and the other network card to connect to my local netwrok for internal users.
Solved! Go to Solution.
05-31-2008 09:03 AM
Kashif,
Run "clear arp" and "clear xlate".
Make sure web server's default gateway is 172.16.4.1
Make sure there is no software firewall or HIPS runnin on web server. If running, then modify the exceptions scope to accept www traffic from any.
Please post your latest config with conduit added.
05-23-2008 09:38 AM
Hi Kashif
I would recommend using only 1 NIC with webserver, place it into DMZ. then create the following static rule
static (dmz,outside) publicip webserverip netmask 255.255.255.255 dns
access-list outside_access_in permit tcp any host publicip eq www
static (dmz,inside) webserverip webserverip netmask 255.255.255.255
If your domain is same with your external domain, create a host record with www in DNS and point it to webserverip not the publicip
Regards
05-24-2008 12:23 AM
Hi Huseyin
Thanks for your reply. Need to know that why
i should use this command
static (dmz,outside) publicip webserverip netmask 255.255.255.255 dns
because i just want to publish webserver so y in this we should mention dns.
other thing i want to ask shouldn't i use
conduit permit tcp host webserverip eq www any
instead of access-list because it is mentioned in cisco website that for lower security level to higher security level we should use conduit command. and to allow access for my internal user to website i should use nat & global commands.
Regards
05-24-2008 06:10 AM
"dns" switch at the end enables dns doctoring for that specific entry. If you dont do dns doctoring, whenever an inside user tries to reach www.youwebsite.com, your Public address will be returned and this will create a U turn traffic which will result with a drop. In DNS doctoring, If the specified traffic is met (an inside host tries to reach www.yourwebsite.com, ) that static with DNS command will re-write the DNS query by putting the private ip of Web server in DMZ instead public IP and you will reach webserver directly. But If you have a DNS server locally that all clients pointed to that and you can create a host record for www in yourwebsite.com domain, dns doctoring wont be needed at all, but just in case, I put it there.
conduit statement is depreceated, it was used before 6.3 IOS it is no longer supported. You have to use ACLs instead. You have an IOS greater than 6.3 in PIX 515E correct ?
and for your clients located in inside interface to be able to connect dmz, second static command is necessary. It will make the webserver located in DMZ not to be translated in NAT and reached directly. You wont need further NAT&Global commands.
Regards
05-25-2008 05:55 AM
Thanks Very Much i will try this scenerio and i will inform u. Also yes my Pix515e software version is 6.3(4).
Thanks
05-25-2008 07:02 AM
You are welcome kashif, looking forward to hear from you about the progress. I suggest you to upgrade your IOS to at least 6.3(5), and my recommendation is 7.2(3)
Regards
05-30-2008 02:40 AM
05-30-2008 03:31 AM
Hi Kashif,
I assume your code 6.3(4) is still running with conduits. Please add the following
no access-list inbound permit tcp any host 91.140.255.220 eq www
no access-group inbound in interface outside
conduit permit tcp host 91.140.255.220 eq www any
Regards
05-31-2008 07:12 AM
Hi
I tried these commands also but its not working still.
Also in syslog i didnt get any error message i rechecked the conectivity of my firewall to internet and its ok. i can use vpn connection from my home.
but still i cant access the website.
05-31-2008 09:03 AM
Kashif,
Run "clear arp" and "clear xlate".
Make sure web server's default gateway is 172.16.4.1
Make sure there is no software firewall or HIPS runnin on web server. If running, then modify the exceptions scope to accept www traffic from any.
Please post your latest config with conduit added.
06-02-2008 04:27 AM
Dear husycisco
Thank you very much for your advise . after putting the default gateway i can access my website from internet.
other thing i want to ask u how i can publish the website for internal users. before u suggest me to use static command with access-list now but my firewall ios version is 6.3 so i can use cnduit command.
so how i can publish my website for internal users.
thank u very very much for your help.
06-02-2008 08:02 AM
dear husycisco
i have change my configuration from conduit command to access-list and it is working fine also.
i think before i didnt succed becz the gateway was not configured to web server.
now i want to give access to internal users to the web site so what should i configure.
also to manage the webiste i want to give access to developers internal network so they can connect through remote desktop to web server.
thanks
06-02-2008 09:21 AM
Kashif,
You are welcome :) Add the following
static (dmz,inside) webserver webserver netmask 255.255.255.255
access-list hadi line 2 permit 200.200.200.0 255.255.255.0 host webserver eq 80
access-list hadi line 3 permit developersnetwork developersnetmask host webserver eq 3389
06-02-2008 09:58 AM
Dear husycisco
the static command was accecepted by the firewall but i wasnt able to access the website from internal user, i tried to access with the ip address.
both access-list command was not accepted by the firewall and i couldn configure it.
it seems like some parameter was missing.
06-02-2008 10:19 AM
Hmm, try this
access-list hadi line 2 permit ip 200.200.200.0 255.255.255.0 host webserver eq 80
access-list hadi line 3 permit ip developersnetwork developersnetmask host webserver eq 3389
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide