Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

First Web Server - Your thoughts on 2nd firewall - Have one PIX515


I am getting prepared to install our first Web Server - Apache on a NT4 box. The software vendor has recomended two firewalls and a multihomed box.

The first firewall allows port 80 and 443 traffic to nic one the second nic is connected to the second firewall, this time blocking port 80 and 443 traffic.

Your suggestions on the 2nd firewall - Is there a way to do this with a Switch

Looking at 2950's and 3500 switches.

The network is 2621 to PIX 515 (5.3) to Router 2621 to Router 2621 to multihomed Web Server (NT4) to ? to Oracle Database on NT box.

Thank you...

ps my email is

New Member

Re: First Web Server - Your thoughts on 2nd firewall - Have one

You don't need the second firewall.

Just the _proper_ policies on your PIX.

Database connection can be done with the back-end network (like they are recommending you), but my personal point of view is that this is not very effective/reasonable design.

Don't forget - security is always the balance......


New Member

Re: First Web Server - Your thoughts on 2nd firewall - Have one


Layered security is very important to look at that is what they are suggesting. Maybe you can accomplish this by 2 DMZ's of the same router? Sometimes a totally different firewall product? Sometimes if you have all Cisco then maybe different IOS levels because one version may have a vunerability but the other will not have it. Maybe you can have IOS base firewall software on the first router allowing 80 and 443 then the server then the PIX blocking all traffic in from that point?

Another very important issue is monitoring it. So think about that also.

Sometimes people recommend having a webserver or external mail server on the outside DMZ's being "dumb" servers. Then the internal servers go to them and send them the info they need - like a relay. This way if someone take over the box.. they really do not have the primary server or are in your network. You mention the database on the external box?

What I would really suggest is this. Call your local Cisco Certified Partner. If you are going to purchase new parts anyway they will meet with you, they have the power to bring Cisco Engineers from Cisco and tap into Cisco's Security Specialists. Then you can all talk about a design that meets your needs. Usually this is all free to you. Then you can feel comfortable that you have the correct design.

New Member

Re: First Web Server - Your thoughts on 2nd firewall - Have one

Thank you for your reply. I did have my Cisco rep in along with a engineer. They are trying to come up with somehing. But it seemed that the approach they are looking at required massive amounts of money and equipment, including two new PIX's at the site, dedicated T1 just for the web server.

The software on the web sever institutes the connection to the database. Checking for availabity prior to booking a reservation at a hotel. My PIX, and it's DMZ, along with the Internet connection are located across a 128K wan link, I am concerned about response time if I place the web sever on the PIX side of the link. On a side note: The engineer was concerned about DoS attacks bringing down the link, is this a real concern for a small time company?

I was planning on having the web server on it's own network, using either a 3500 switch or the 2621 router for routing. I am not allowing routing on the web server.

Question - on trojan horses - I am thinking that a rule that does not allow the web server to make it's own connections to the Internet would take car of that worry?