Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to configure to let web surfers into my web server behind PIX 501

I have 1 web server, hosting 4 web sites. IP addresses are as:

the web server box itself: 192.168.111.11

1st web site on this box has IP 192.168.111.101

2nd ............................................ 192.168.111.102

3rd ............................................. 192.168.111.103

4th ............................................. 192.168.111.104

My OUTSIDE interface has (let's say) 205.200.20.5

My INSIDE interface has 192.168.111.1

I want to let outside web traffic into my web server box which is hosting 4 sites. I only want to let people in with HTTP and HTTPS.

How should I do it, and also for flexibility purpose, say tomorrow I want to host my site #3 on a different web server but still with same IP, can I selectively route certain web traffic to different web server boxes?

Also, I want to open another port, say, 8080 for administrative purposes. Can I route HTTP or HTTPS addressed to certain port # to the webserver also?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: How to configure to let web surfers into my web server behin

You'll have to create port-mapped statics, but if you only have the one external IP address that people can connect to, they'll need to connect to a specific port in the URL to differentiate what internal web server they actually want to go to.

For example:

> static (inside,outside) tcp 205.200.20.5 80 192.168.111.101 80 netmask 255.255.255.255

> static (inside,outside) tcp 205.200.20.5 81 192.168.111.102 80 netmask 255.255.255.255

> static (inside,outside) tcp 205.200.20.5 82 192.168.111.103 80 netmask 255.255.255.255

> static (inside,outside) tcp 205.200.20.5 83 192.168.111.104 80 netmask 255.255.255.255

will map connections for 205.200.20.5 on port 80 thru to port 80 on 192.168.111.101. Connections coming in on port 81 will be mapped thru to port 80 on 192.168.111.102. Connections coming in on port 82 will be mapped thru to port 80 on 192.168.111.103, and so on.

You can't just map any traffic coming in on port 80 to the 4 different internal web servers, cause how is the PIX going to know which one to send the traffic to.

To allow the access in, along with the statics shown bove, you'd need:

> access-list inbound permit tcp any host 205.200.20.5 eq 80

> access-list inbound permit tcp any host 205.200.20.5 eq 81

> access-list inbound permit tcp any host 205.200.20.5 eq 82

> access-list inbound permit tcp any host 205.200.20.5 eq 83

> access-list inbound permit tcp any host 205.200.20.5 eq 443

> acess-group inbound in interface outside

HTTPS is also going to be a problem, cause similarly to HTTP you'll have to use different ports to differentiate what specific internal web server you want them to go to (and allow those ports in in your "inbound" ACL above).

For port 8080, just do the following:

> static (inside,outside) tcp 205.200.20.5 8080 192.168.111.10x 8080 netmask 255.255.255.255

> access-list inbound permit tcp any host 205.200.20.5 port 8080

As you can probably guess, this isn't going to work really well if you only have the one external IP address, since Internet users aren't going to know to specify a specific port number so that they get through to a specific internal host. You may need a unique external address for each internal web server for this to work in reality.

Silver

Re: How to configure to let web surfers into my web server behin

If you only have a single public IP, you can use host headers on the web server and use a single IP internally and externally. The GET request will have the host name in the header of the request. The web server useses this to figure out which website the user wants even though all the FQDNs of the sites resolve to the same IP. This way, you won't need to use multiple IPs/ports that your firewall and users must deal with.

3 REPLIES
Cisco Employee

Re: How to configure to let web surfers into my web server behin

You'll have to create port-mapped statics, but if you only have the one external IP address that people can connect to, they'll need to connect to a specific port in the URL to differentiate what internal web server they actually want to go to.

For example:

> static (inside,outside) tcp 205.200.20.5 80 192.168.111.101 80 netmask 255.255.255.255

> static (inside,outside) tcp 205.200.20.5 81 192.168.111.102 80 netmask 255.255.255.255

> static (inside,outside) tcp 205.200.20.5 82 192.168.111.103 80 netmask 255.255.255.255

> static (inside,outside) tcp 205.200.20.5 83 192.168.111.104 80 netmask 255.255.255.255

will map connections for 205.200.20.5 on port 80 thru to port 80 on 192.168.111.101. Connections coming in on port 81 will be mapped thru to port 80 on 192.168.111.102. Connections coming in on port 82 will be mapped thru to port 80 on 192.168.111.103, and so on.

You can't just map any traffic coming in on port 80 to the 4 different internal web servers, cause how is the PIX going to know which one to send the traffic to.

To allow the access in, along with the statics shown bove, you'd need:

> access-list inbound permit tcp any host 205.200.20.5 eq 80

> access-list inbound permit tcp any host 205.200.20.5 eq 81

> access-list inbound permit tcp any host 205.200.20.5 eq 82

> access-list inbound permit tcp any host 205.200.20.5 eq 83

> access-list inbound permit tcp any host 205.200.20.5 eq 443

> acess-group inbound in interface outside

HTTPS is also going to be a problem, cause similarly to HTTP you'll have to use different ports to differentiate what specific internal web server you want them to go to (and allow those ports in in your "inbound" ACL above).

For port 8080, just do the following:

> static (inside,outside) tcp 205.200.20.5 8080 192.168.111.10x 8080 netmask 255.255.255.255

> access-list inbound permit tcp any host 205.200.20.5 port 8080

As you can probably guess, this isn't going to work really well if you only have the one external IP address, since Internet users aren't going to know to specify a specific port number so that they get through to a specific internal host. You may need a unique external address for each internal web server for this to work in reality.

Silver

Re: How to configure to let web surfers into my web server behin

If you only have a single public IP, you can use host headers on the web server and use a single IP internally and externally. The GET request will have the host name in the header of the request. The web server useses this to figure out which website the user wants even though all the FQDNs of the sites resolve to the same IP. This way, you won't need to use multiple IPs/ports that your firewall and users must deal with.

Silver

Re: How to configure to let web surfers into my web server behin

Host headers will work great so long as the OP is not using SSL. SSL doesn't grok host headers. The OP can have a http web server running an infinite # of http sites with host headers all through port 80, and another single site with SSL on 443, but multiple SSL sites will require multiple port usage

287
Views
0
Helpful
3
Replies
CreatePlease to create content