Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: How to add second web server behind pix 506e

How to add second web server behind pix 506e 10 years 2 months ago #17267

  • jmbmichael
  • jmbmichael's Avatar
  • Offline
  • New Member
  • Posts: 13
  • Karma: 0
I currently have one web server that only allows a few ips to access it, here is what is currently set in my pix.

access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit tcp host 206.129.0.252 host 69.8.23.* eq ssh
access-list acl_out permit tcp host 206.129.0.252 host 69.8.23.* eq www
access-list acl_out permit tcp host 206.129.0.252 host 69.8.23.* eq 2938
access-list acl_out permit tcp host 206.129.1.23 host 69.8.23.* eq ssh
access-list acl_out permit tcp host 206.129.1.23 host 69.8.23.* eq www
access-list acl_out permit tcp host 206.129.1.23 host 69.8.23.* eq 2938
access-list nonat permit ip 172.19.0.0 255.255.0.0 172.16.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 69.8.1.* 255
ip address inside 172.19.2.2 255.255.254.0
ip audit info action alarm

pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.19.0.11 69.8.23.* netmask 255.255.255.255 0 0
access-group acl_out in interface outside


that is basically all the commands for the current web server. I need to add another web server for a website that anyone can access. How do I go about that. Will I need a completely different acl or can I just add to this one.
The administrator has disabled public write access.

Re: How to add second web server behind pix 506e 10 years 2 months ago #17270

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi there fella,

Firstly in response to needing a seperate access list, you can only apply one access list to one interface in one direction. Therefore using the same access list is the only real way to do it (unless you apply one to "outside OUT" which i have never really seen anyone apply two different access lists in both directions).

Next, i can see you having a slight issue with what you are trying to do. The problem you have is that you have only got the single IP Address on the external interface. Since you are using Interface in your global statement i am guessing that this is a DHCP assign IP by your ISP ?

Here is the problem, you have the static setup to map the external IP to your internal webserver, therefore i am struggling to see how you can address a further server.

If you are using IIS for example on the 172.19.0.11 server, you can look at implementing host headers on the IIS Server. Then you can have multiple websites running off the same server. You would then have to use IIS to lock down which machines can access which sites instead of using the routers to lock down the IP Addresses.

Another way you can do it is to get an allocation of addresses from your ISP so you can setup another static command which goes to a seperate server. This way it will be able to be hosted on a seperate webserver and you can still control access through the access lists.

Yet another way around this is to install ISA server on the inside and then git that to redirect web traffic based on the host headers ?

Finally, another way is to use a different port to port 80 on the website that has restricted access. You can then use the static command to map different ports to different servers.

For example, you can do something like this;

static (inside, outside) tcp 172.19.0.11 8002 69.8.23.* 8002 netmask 255.255.255.255 0 0

This way, you can setup your new site that needs everyone access to on port 80. The other site, you can instruct the two users (i.e. only two ip addresses have access to it) that you need to access the site through www.the.domain.name.whatever:8002

Also, you will need to change the port that the site is running on to port 8002.

Change the access list too allow port 8002 through.

Hope it makes sense

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: How to add second web server behind pix 506e 10 years 1 month ago #17313

  • jmbmichael
  • jmbmichael's Avatar
  • Offline
  • New Member
  • Posts: 13
  • Karma: 0
Ok, I got another IP from my ISP. Now what command would I use in my ACL to allow everyone access to my new webserver but still have the restrictions on the old server.
The administrator has disabled public write access.

Re: How to add second web server behind pix 506e 10 years 1 month ago #17314

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
First you would need to add a line in the access list to allow anything to your new server on port 80

access-list acl_out permit tcp any host newexternalip eq www

Then you will need to add a static command to allow a Static Mapping between the external ip address and the new webserver on the inside

static (inside, outside) tcp newserverip newexternalip netmask 255.255.255.255 0 0

Hopefully should all work

(providing the new ip address is on the same subnet and that they just havn't issued you with any old ip address)
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: How to add second web server behind pix 506e 10 years 1 month ago #17315

  • jmbmichael
  • jmbmichael's Avatar
  • Offline
  • New Member
  • Posts: 13
  • Karma: 0
thanks smurf, thats exactly what I needed.
The administrator has disabled public write access.

Re: How to add second web server behind pix 506e 10 years 1 month ago #17316

  • jmbmichael
  • jmbmichael's Avatar
  • Offline
  • New Member
  • Posts: 13
  • Karma: 0
I tried running the static (inside, outside) tcp newserverip newexternalip netmask 255.255.255.255 0 0 command from the (config)# and I get the error invalid global port newexternalip
any ideas why
The administrator has disabled public write access.
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup