Cisco Support Community
Community Member

Web Server behind PIX

We are looking at bringing our web hosting in-house and will be putting our site on our win2k server that is protected by a 506E. Couple of questions come to mind. Oh, if it helps our running config is on a 6.2(2) with all standard fixup protocol ports open. We do have vpn groups set up for external access.

1. Should we put the site behind the PIX or give it a public IP and have a 2nd NIC from the server connect to our router? Are there any routing conflicts if it's behind the firewall and our internal clients attempt to reach it since they'd be coming back & forth through the same interface?

2. If we put the server behind the PIX would it be better to just apply an ACL to it and tag an internal IP addres to it and just have the PIX announce it's outside interface address OR should we give it a seperate public IP address? We have a /29 with a few open addresses so it can be an option for us.

Any insight or experience is again grealy appreciated.

Cisco Employee

Re: Web Server behind PIX

1. Definately put the server behind the PIX, that's what it's designed for. There can be issues with your internal clients trying to get to if they use it's name and the name resolves to the public IP address rather than the actual internal IP address, but the PIX has "dns" option on the static command just to get around that: See for details.

2. Not sure what you mean by the first section, but you'd give the server an internal IP address and then set up a static translation in the PIX, people would then connect to the public address you specified in the PIX and the PIX will forward it through.

Something like the following is all you should need:

> static (inside,outside) dns netmask

> access-list inbound permit tcp any host eq 80

> access-list inbound permit tcp any host eq 443 (if necessary)

> access-group inbound in interface outside

where is the public IP address you assign to the server, and is its actual internal IP address. People would connect to the public address and the PIX will send this thru to

Community Member

Re: Web Server behind PIX

Ahhhh, ok.

Since my outside interface on the PIX is /29

I can give the web server and it won't effect my acl re a vpn group coming in on .177? On top of that, then I should keep my FTP and terminal services traffic coming in on a different IP as well since I applied a static command to the web IP?

CreatePlease to create content