I have a PIX 525 running ver 6.1(1) that I need to NAT multiple outside IP addresses to a single inside IP address.
My company owns a number of organisations that compete against each other in the marketplace and have different websites. We have just setup web hosting using our own servers at an ISP, and have a single web server behind the PIX that will host these multiple companies websites. Each website has a unique IP address on the Internet and will be translated on the web server by IIS's virtual site programming, based on the DNS information.
My problem is that I need to NAT these multiple external registered IP addresses (e.g. 62.x.x.1 to 62.x.x.64) across the PIX firewall to a single internal hosted web server (10.x.x.20) through one of the DMZ interfaces.
After unsuccessfully attempting the multiple-to-any translation, I have just been informed by my supplier that the PIX cannot do this and can only translate addresses on a one-to-one basis. I must say I find this a bit odd for a firewall (this type of configuraion is already working with our outgoing Watchguard firewalls so I cannot see why I cant do the same with the PIX).
I have searched Cisco's website for answers on this but cannot find anything to do with multiple-to-single address translation.
Has anyone been able to get this working in the field? We have tried reversing the NAT and Global statements on the PIX with no success.
Any help in the right direction would be very gratefully received.
Oh, by the way these websites need to go live next Monday... ;-)
Many thanks in advance,
One way to solve your problem, to assign a different port number for each web site in your DMZ and make port redirection with PIX.
Question: How did your Web server was able to identify so many virtual Web site if all shared the same IP address & port number (80)?
If you need help up to next monday, i can help you.
1. Possible solution for multiple public ip to single private:
Define multiple private IP addresses for the same NIC in the same machine. For example, assign 10.10.10.20, 10.10.10.21 and 10.10.10.22 to the same single NIC.
Translate each of the public IP addresses to these multiple private IP addresses, using conduit statements. Bingo! your problem is resolved.
2. How did your Web server was able to identify so many virtual Web site if all shared the same IP address & port number (80)?
If you are using Microsoft IIS server, here is how you host multiple web-sites on a single IP and using the same port 80:
Right click on each of the virtual web-sites and go to properties. On the `Web site' tab, change the `IP address' from `All Unassigned' to the specific ip address (only one will show up if you have assigned only one IP address - so the above case in point no.1 is a different case).
Then click on `Advanced'. In the next screen that pops up, click on the entry that you see, then click on `Edit'.
In the screen that pops up, ensure the IP address is not set to `All Unassigned' and it is indeed set to the IP address.
Under host header name enter the full url - for example, http://www.123.com.
As long as your users are using Internet exploers v 5.x and above (I think any version greater than 4.x would do, but I am not too sure), this will work just good.
any more clarifications, send an email to email@example.com as i dont visit this so often.
Thanks for the reply.
One question - When you say
"Define multiple private IP addresses for the same NIC in the same machine. For example, assign 10.10.10.20, 10.10.10.21 and 10.10.10.22 to the same single NIC."
do you suggest that the NIC in the server has multiple IP addresses assigned to it? I am not sure this is possible as it is a Compaq server configured for NIC teaming and failover.
I understand this will them give a neat one-to-one solution as far as the PIX configuration requires, but I don't think I can ask for this to be done.
Yes, I am suggesting to assign multiple IP addresses to a single NIC.
The multiple IP addresses that you are assigning to a single NIC will be from the same subnet and hence I see no problem in the environment you are using.
I am not a programmer but I have been reliably informed that the websites run PHP scripts that analyse the header on the page being requested. This then diverts the users browser to the specific web page based on the domain name. This is why the internal server address can be a single IP address and how it can host multiple (different) websites.
Can I ask you to indicate how I would set the PIX up for port direction and maybe an example of how a few external IP addresses would map across to the internal address as I am not familiar with this?
Many thanks in advance,
About port redirection, it's easy, only indicated the port number or name within your static commands.
static (dmz1,outside) outside_ip_1 www inside_ip 80 netmask 255.255.255.255
the next static:
static (dmz1,outside) outside_ip_2 www inside_ip 81 netmask 255.255.255.255
and so on.
But, it's perhaps better to simply assign a private IP address to each Web site, you only have to define them within IIS. Because, with only one IP address, ISS is forced to process each request, read each packets, to know to which web site to redirect it...
I would love to be able to have a single IP address per web site as that would make life easy for me!
Unfortunately our configuration has two Windows 2000 IIS servers set up as server clustering, which presents a single usable IP address for load balancing across the boxes (think of it a bit like HSRP for servers...).
On your point above, can I ask what the 80 and 81 refers to as I cannot seem to get the PIX to take more than one "inside_ip" adddress before it throws out a stubborn message stating it is already mapped... is it an arbitorary number put in for lookup or has it another purpose?
I have not tried this, but I do not see any reason why this would not work. Have you tried to create multiple static commands referencing the multiple public address to the one private IP in your dmz.
static (dmz,outside) 62.x.x.1 10.x.x.20 255.255.255.255 0 0
static (dmz,outside) 62.x.x.2 10.x.x.20 255.255.255.255 0 0
Rememeber, you will need to do a clear xlate command after modifying the statics or nat.
Also, when going from a lower to higher security level you use static and/or conduits or access-list.
again I have tried this first off, but the PIX stated that it conflicted with another (same internal_ip) statement and refused to allow me to enter it. (I even tried using different names to the same address of the internal host to see if that would work resulted in the same thing - I am trying lateral thinking now!)
Am I trying something that simply won't work on a PIX (but will with Watchguard, Firewall-1 products etc..)if so I find it very hard to believe - plus spending £16,000 on two failover units is steep if I can't get it to do what I want it to do!