We are looking at bringing our web hosting in-house and will be putting our site on our win2k server that is protected by a 506E. Couple of questions come to mind. Oh, if it helps our running config is on a 6.2(2) with all standard fixup protocol ports open. We do have vpn groups set up for external access.
1. Should we put the site behind the PIX or give it a public IP and have a 2nd NIC from the server connect to our router? Are there any routing conflicts if it's behind the firewall and our internal clients attempt to reach it since they'd be coming back & forth through the same interface?
2. If we put the server behind the PIX would it be better to just apply an ACL to it and tag an internal IP addres to it and just have the PIX announce it's outside interface address OR should we give it a seperate public IP address? We have a /29 with a few open addresses so it can be an option for us.
Any insight or experience is again grealy appreciated.
1. Definately put the server behind the PIX, that's what it's designed for. There can be issues with your internal clients trying to get to if they use it's name and the name resolves to the public IP address rather than the actual internal IP address, but the PIX has "dns" option on the static command just to get around that: See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026694 for details.
2. Not sure what you mean by the first section, but you'd give the server an internal IP address and then set up a static translation in the PIX, people would then connect to the public address you specified in the PIX and the PIX will forward it through.
Something like the following is all you should need:
> static (inside,outside) 18.104.22.168 10.1.1.1 dns netmask 255.255.255.255
> access-list inbound permit tcp any host 22.214.171.124 eq 80
where 126.96.36.199 is the public IP address you assign to the server, and 10.1.1.1 is its actual internal IP address. People would connect to the 188.8.131.52 public address and the PIX will send this thru to 10.1.1.1
Since my outside interface on the PIX is 207.XXX.xxx.177 /29
I can give the web server 207.xxx.xxx.179 and it won't effect my acl re a vpn group coming in on .177? On top of that, then I should keep my FTP and terminal services traffic coming in on a different IP as well since I applied a static command to the web IP?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...