Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can the Pix 501 handle multiple http servers?

Hello;

I would like to try this configuration using the Pix 501 in a soho situation. Is it possible?

(a) Cable router with 5 live IP's

(b) Pix 501

(c) Single Win2000/Exchange 2000 server with 3 low volume web sites and one smpt port.

Can the Pix 501 be programmed to route the 3 http and 1 smtp requests from the untrusted Internet to the proper internal IP's on the server?

Thanks

8 REPLIES
Gold

Re: Can the Pix 501 handle multiple http servers?

Hi -

You might want to read the following post, which might help a little on your decision:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.eea1a02

Thanks -

New Member

Re: Can the Pix 501 handle multiple http servers?

Friend jmia@ohgroup;

I read your url link, and I'm afraid that it doesn't answer my question. I don't want/need a DMZ, more than 10 users, etc.

Just want to know if the Pix 501 can handle the programing outlined in my first post.

Thanks!

Silver

Re: Can the Pix 501 handle multiple http servers?

Hi,

The answer is yes, PIX can be configured for this. In fact, it is quite simple. How to config depends on what you want exactly.

I assume that you want to use three public IP's and translate them to one and the same private IP. I'm not sure if you are using virtual server configuration (listening on port 80 for every server), or that three websites are running and listening on different ports. But configuration is mainly the same.

You would have to configure something like this:

static (inside, outside) tcp 80 netmask 255.255.255.255

static (inside, outside) tcp 80 netmask 255.255.255.255

static (inside, outside) tcp 80 netmask 255.255.255.255

Then, if you want the servers to be able to initiate sessions from the inside as well, you would have to put in the appropiate nat and global for it as weel. This would be something like this:

nat (inside) 1 255.255.255.255

nat (inside) 2 255.255.255.255

nat (inside) 3 255.255.255.255

nat (inside) 5

global (outside) 1

global (outside) 1

global (outside) 1

global (outside) 5 interface

Let me know if you need further assistance on this.

Kind regards,

Leo

New Member

Re: Can the Pix 501 handle multiple http servers?

Leo,

Actually, I will be using four public IP's and linking them to four *separate* private IP's. The private IP's are all bound to the same nic. Like this:

Email 192.168.200.250; Web services(1) 192.168.200.251; Web services(2) 192.168.200.252; Web services(3) 192.168.200.253.

As you say, the configuration is mainly the same?

I'm guessing it would have to be configured something like this:

static tcp <192.168.200.251_1> 80 <66.128.96.xxx_1> netmask 255.255.255.255

BTW Leo, {and others}

The integrated Cisco PIX Device Manager {PDM} is supposed to provide an intuitive, Web-based management interface for configuring,and troubleshooting a Cisco PIX 501 requiring only a standard Web browser. Cisco says a setup wizard is provided for easy installation.

Does this mean I can accomplish the setups like yours without learning the interface commands like your examples?

Frankly, the command line seems quite daunting for the new user.

Thanks for the support!

Silver

Re: Can the Pix 501 handle multiple http servers?

Hi,

The answer is yes, PIX can be configured for this. In fact, it is quite simple. How to config depends on what you want exactly.

I assume that you want to use three public IP's and translate them to one and the same private IP. I'm not sure if you are using virtual server configuration (listening on port 80 for every server), or that three websites are running and listening on different ports. But configuration is mainly the same.

Hi,

Yes, as I did mention, it is mainly the same. You guess is almost right. The config would be:

static (inside, outside) tcp <66.128.96.xxx_1> 25 192.168.200.250 25 netmask 255.255.255.255

static (inside, outside) tcp <66.128.96.xxx_2> 80 192.168.200.251 80 netmask 255.255.255.255

static (inside, outside) tcp <66.128.96.xxx_3> 80 192.168.200.252 80 netmask 255.255.255.255

static (inside, outside) tcp <66.128.96.xxx_4> 80 192.168.200.253 80 netmask 255.255.255.255

Mention that you have to put in the (inside, outside)

*could be other interfaces as well, as long as you put in the higher securitylevel first and the lower securitylevel second*

(yeah, I know, latest versions do support the other way around, but this is of topic for your question)

Your example given contains another error, because you put in the local IP (private IP) first and then the global IP (public IP). Remember that you always configure first global and then local IP within the static command. The lines provided above are correct (just replace the public IP´s to the correct ones, and you´ll be fine). You have to permit the sessions within an access-list and bound this access-list to the outside interface as weel (but I assume you knew that allready)

About PDM (I will give you my personal thoughts, which are not necessarily Cisco´s thoughts).

I´m not a big fan of PDM, and I´l guess that most real PIX-nerds aren´t.

I see it as another click and play GUI, just like M$-Windows *grin*

PDM contains some nice things though. It will guard you for several errors which are often made by users (like overlapping statics, or putting acess-lists in while no appropiate routes are given). So, for maintaining after installation, it is a good tool, also for simple configs like SOHO it looks fine to me, but I do not think it´s a great tool for configuring PIX in a way engineers do (that is, more complex configuraion). Besides my meaning, you will find on CCO that all example configs are giving on CLI commands, and not on PDM (typical, don´t you think?)

Kind regards,

Leo

New Member

Re: Can the Pix 501 handle multiple http servers?

Leo;

You’ve been so helpful! And your personal thoughts are appreciated. There's nothing wrong with a different perspective on a product.

I’d like to just ask about one final item.

Currently, I am evaluating the capabilities of the Pix 501 against another firewall appliance in the same price range. {I will not use the name in deference to this Cisco forum, but this blue box has the name that resembles xxxxxwall.}

Now this other product has passed the ICSA Labs Firewall certification and uses a totally Web-based management that is frankly, *very* intuitive.

However, this "blue box" would require me to use one-to-one NAT to accomplish what I need to do with my limited number of assigned, public IP’s.

After server publishing, there is one IP left, that’s not sufficient for the 4 internal workstations to access the Internet. In this scenario, I’m guessing I’d have to install ISA server in the “Cache mode” and attach the workstations as winsock proxy clients. Certainly would work. But if I could avoid installing another service on the server - that would be better.

So could the Pix 501 be configured to allow the internal clients to access Internet services through the last remaining public IP through NAT? Am I making sense here? To reiterate:

While the Pix 501is programmed to route the 3 http and 1 SMTP requests from the untrusted Internet to the proper internal IP's on the server; can it also use DHCP to hand out IP’s using NAT on that 192.168.200.xxx range and let the workstations out on the final unused public IP?

Sincerely;

Ron

Silver

Re: Can the Pix 501 handle multiple http servers?

Hi Ron,

Alway nice to hear that my post did help.

(that´s where we´re here for, don´t we?).

With PIX it is possible to PAT several inside network (ip subnets) to one address. This address could be indeed one of the five adresses you have.

As far as I understand your case I assume you did get an /29 subnet from your provider, so you have six usable IP adresses on this /29 subnet. One is offcourse reserved for the provider router and one for the PIX outside interface, leaving 4 usable addresses for hosted servers.

What you can do is use these four adresses for the things we discussed before (www and mail servers) and translate all other inside hosts to the PIX outside interfaces address.

In fact, all config you need for this would be:

nat (inside) 1 192.168.200.0 255.255.255.0

global (outside) 1 interface

If you would have more internal networks, let´s say, network 192.168.100.0/24 you just put in an extra line saying:

nat (inside) 1 192.168.100.0 255.255.255.0

PIX will translate all the nat (inside) 1 networks to the global (outside)1 interface.

If you do not want the servers which we allready translated with the static commands to be able to start sessions from the inside to outside, but only want the to response, you could add some to this config to prevent this servers from being translated when they try to initiate the session.

Here´s how your config would have to be then:

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.200.0 255.255.255.0

global (outside) 1 interface

access-list nonat permit ip host any

access-list nonat permit ip host any

access-list nonat permit ip host any

access-list nonat permit ip host any

access-list nonat deny ip any any

The access-list nonat is used to prevent translation if the servers initiate sessions. Respons raffic is not effected with these lines, because an connected state allready exist then, and no nat rules are used (neither are access-list on responsetraffic)

Don´t hesitate to ask if more help is needed.

Kind regards,

Leo

New Member

Re: Can the Pix 501 handle multiple http servers?

Leo;

Thanks again for all the help.

i think my choice for a firewall will be the Pix 501.

145
Views
5
Helpful
8
Replies