Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
3
Replies

F5 and PIX for webserver

jliscano
Level 1
Level 1

‎05-24-2006 10:22 PM - edited ‎02-21-2020 12:55 AM

I had a question regarding securing our webservers that use IIS. We have 2 options in play. Which one is a better solution to secure IIS from the IIS vulnerabilities and etc...? I know both have advantages and disadvantages.

Here's the setup, a Cisco PIX firewall and an F5 connected to the DMZ in the PIX. The F5 has 2 VLANS:1.1 and 1.2. VLAN 1.1 has an public IP (example: 2.2.2.2) and VLAN 1.2 has (192.168.0.1)

1) place the IIS server in the internal network (10.0.0.0) and have the F5 communicate to it to retreive the pages for Internet users. The Internet users will see a public IP address but obviously the F5 will translate that to the internal IP address in the 10.0.0.0 network. Also, the server needs to communicate to a database on the internal network.

2) place the IIS server in the F5 VLAN 1.2 network (192.168.0.0) and have F5 communicate to it that way. The server then needs to communicate to the internal network (10.0.0.0) to access a database. Obviously we need to create open ports on the PIX at that point.

Hopefully i made sense.

Jerome

0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎05-24-2006 11:30 PM

Hi,

Personally, I think Option #2 looks better for more secure access.

This is similar to the concept of hosting your public webserver in semi-trusted segment. Obviously, you do not want outsider to access your internal network directly in the event if someone managed to find way to hack into the webserver. If this happened, he/she is already on your secure network segment and had a greater chance to compromise other servers. DMZ is more or less act like a 'transit area'. Another layer of ACLs for DMZ and Inside interfaces will help to prevent/minimize the risks. And of course, an IPS will be a bonus to further inspect the passing traffic, especialy when firewall has no ability to check hidden/tunneling traffic.

Rgds,

AK

0 Helpful

sgramm
Level 1
Level 1

‎06-07-2006 08:21 AM

I am haveing problems getting into the device manager of my pix. It keeps saying access denied. Where in the cli do you setup access to the https server

0 Helpful

jliscano
Level 1
Level 1
In response to sgramm

‎06-07-2006 10:54 AM

First you want to enable "http server enable" on the PIX. Then add your station IP address with this command "http 255.255.255.255 inside.

You should then be able to https into your PIX via web.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card