cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
676
Views
12
Helpful
12
Replies

PIX 501 as Web Server Firewall

admin_2
Level 3
Level 3

Hello,

At the suggestion of a colleague we purchased a PIX 501 firewall to protect our new Win2003 web server and UNIX/Oracle DB server.

I have never worked with firewalls before.

Our servers are located in a cage at the ISP and belong to us. There are only two servers providing the web site. I have read the documentation in the Getting Started book and it doesn't seem to answer my question.

We have 2 web sites with different IP numbers on our web server. Let's say 140.5.5.4 and 140.5.5.5. I understand that I will reassign the numbers to work with the firewall (192...) but I don't understand how the routers at the ISP will be able to route the requests for both web sites to the firewall when it has a single IP number, say 140.5.5.1?

Any help is appreciated.

Thank you, Jerry

1 Accepted Solution

Accepted Solutions

rhugo
Level 3
Level 3

Jerry,

what you are referring to is called port redirection. Say you have a PIX that has a static public IP address of 12.1.1.1 and your web servers are 12.1.1.2 and 12.1.1.3 respectively. Port redirection is really a 2-step process:

* a static translation of the public IP address of the PIX (12.1.1.1) to the address of the web server (12.1.1.2) ....

static (inside, outside) tcp 12.1.1.1 www 12.1.1.2 www netmask 255.255.255.255 0 0

* a conduit statement that basically states "any web requests should be allowed in on the PIX outside interface".....

conduit permit tcp host 12.1.1.1 eq www any

Here is a link that will help to clarify this:

www.cisco.com/warp/customer/707/28.html

This should get you started. As far as the basic configuration, there should be config examples on the Cisco site, if you have CCO access.

Let me know if this helps.

Rob H.

View solution in original post

12 Replies 12

r-lemaster
Level 1
Level 1

The 501 is not an appropriate firewall for your environment because of it's licensing and form factor. Consider a 515.

With NAT, your firewall will listen for the local addresses behind it.

You may need more than the "Getting Started" guide to set up the PIX. It's not designed for firewall newbies. There's some good books on Amazon or Cisco Press that explain setting up PIX in detail. If you get into too much of a jam, LMK and maybe I can help for a modest consulting fee.

rhugo
Level 3
Level 3

Jerry,

what you are referring to is called port redirection. Say you have a PIX that has a static public IP address of 12.1.1.1 and your web servers are 12.1.1.2 and 12.1.1.3 respectively. Port redirection is really a 2-step process:

* a static translation of the public IP address of the PIX (12.1.1.1) to the address of the web server (12.1.1.2) ....

static (inside, outside) tcp 12.1.1.1 www 12.1.1.2 www netmask 255.255.255.255 0 0

* a conduit statement that basically states "any web requests should be allowed in on the PIX outside interface".....

conduit permit tcp host 12.1.1.1 eq www any

Here is a link that will help to clarify this:

www.cisco.com/warp/customer/707/28.html

This should get you started. As far as the basic configuration, there should be config examples on the Cisco site, if you have CCO access.

Let me know if this helps.

Rob H.

Not applicable

Hello Rob,

Thank you for the valuable information. I tried clicking on your link but I get an Authentication Error even though I am logged on to the Cisco.com site. Probably you have a different layer of support or something. If you do know how I could could to this page that would be helpful, if not I understand.

Thanks, Jerry

rhugo
Level 3
Level 3

BTW, The 501 is perfectly fine for your environment, depending on the level of web traffic your sites receive. That's FREE ADVICE.

:)

RH

OK, I'll elaborate. The 501 is limited to 10 connections (total, not concurrent). That means that once you have reached 10 connections, the firewall will deny any further connections (in or out) until you reboot. An average web page can contain up to 20 or so connections, depending on images, etc, so If you use a 501 to protect a web site it will problably stop taking connections within an hour or so (depending on traffic).. until you reboot. You can upgrade to an unlimited license, but that will cost about as much as a 506 PIX, which is a much better firewall. Neither form factor is rack-optimized, but the 515 is. So, if you're putting your servers in a rack in a colo, people typically use a 515 because it's built for that kind of environment. A 501 is not. It's designed for a 10 user workgroup without any public hosts. I'm speaking from experience because I've done this before. If you'd like to verify this, check the Cisco documentation for 501 licensing.

You are right when you speak about the Licensing's but that is based on internal host and from talking with Cisco this is done via the arp table. If 10 different host on the INTERNAL network establish connections to the outside then that 11th host will be denied, but internal connections from the outside to the inside is unlimited. I have a 501 that is sitting in front of a webserver now and there are no problems with it AT ALL.

Hey elijah-

What licensing do you have? 10,50,unlimited?

What kind of hits do you get to your www site?

This is the first I've heard about using the internal ARP table. I'd like to see if I can reproduce this on my LAN.

I have 10

I hate plugging my website but I get about 500 to 700 hits a day on my home site. Think about it with all the code red crap still running wild on the net which I find just rediculous that would take up your 10 connections alone. If you want contact me off the message board and I will provide you links and my log file to show you from code red crap alone I get close to 6000 connects a day which ticks me off. So valid hits on my webserver is about 500 to 700 hits per day.

Hey elijah-

Can we take this offline? Can I see your sh run? I'm trying to see if I can reproduce this myself. My email is rklemaster@hotmail.com .

I have sent what you asked for. But even if you do a show ver you will see that it tells you the limit is for inside host not total connections on the box itself.

pixfirewall up 5 mins 34 secs

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

Flash E28F640J3 @ 0x3000000, 8MB

BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000a.411e.f554, irq 9

1: ethernet1: address is 000a.411e.f555, irq 10

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: 10

Throughput: Unlimited

IKE peers: 10

This is good info, elijah.

I'd prefer to take this offline.

I have not received an email from you.

Pls. resend or post your email here.

mostiguy
Level 6
Level 6

THe firewall can have multiple ip addresses on it. There will be a legitimate ip address assigned to the outside ethernet interface of the firewall, but you can add additional ip addresses to it via the global command.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: