Skip to main content

How to add second web server behind pix 506e

More
18 years 1 month ago #17267 by jmbmichael
I currently have one web server that only allows a few ips to access it, here is what is currently set in my pix.

access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit tcp host 206.129.0.252 host 69.8.23.* eq ssh
access-list acl_out permit tcp host 206.129.0.252 host 69.8.23.* eq www
access-list acl_out permit tcp host 206.129.0.252 host 69.8.23.* eq 2938
access-list acl_out permit tcp host 206.129.1.23 host 69.8.23.* eq ssh
access-list acl_out permit tcp host 206.129.1.23 host 69.8.23.* eq www
access-list acl_out permit tcp host 206.129.1.23 host 69.8.23.* eq 2938
access-list nonat permit ip 172.19.0.0 255.255.0.0 172.16.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 69.8.1.* 255
ip address inside 172.19.2.2 255.255.254.0
ip audit info action alarm

pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.19.0.11 69.8.23.* netmask 255.255.255.255 0 0
access-group acl_out in interface outside


that is basically all the commands for the current web server. I need to add another web server for a website that anyone can access. How do I go about that. Will I need a completely different acl or can I just add to this one.
More
18 years 1 month ago #17270 by Smurf
Hi there fella,

Firstly in response to needing a seperate access list, you can only apply one access list to one interface in one direction. Therefore using the same access list is the only real way to do it (unless you apply one to "outside OUT" which i have never really seen anyone apply two different access lists in both directions).

Next, i can see you having a slight issue with what you are trying to do. The problem you have is that you have only got the single IP Address on the external interface. Since you are using Interface in your global statement i am guessing that this is a DHCP assign IP by your ISP ?

Here is the problem, you have the static setup to map the external IP to your internal webserver, therefore i am struggling to see how you can address a further server.

If you are using IIS for example on the 172.19.0.11 server, you can look at implementing host headers on the IIS Server. Then you can have multiple websites running off the same server. You would then have to use IIS to lock down which machines can access which sites instead of using the routers to lock down the IP Addresses.

Another way you can do it is to get an allocation of addresses from your ISP so you can setup another static command which goes to a seperate server. This way it will be able to be hosted on a seperate webserver and you can still control access through the access lists.

Yet another way around this is to install ISA server on the inside and then git that to redirect web traffic based on the host headers ?

Finally, another way is to use a different port to port 80 on the website that has restricted access. You can then use the static command to map different ports to different servers.

For example, you can do something like this;

static (inside, outside) tcp 172.19.0.11 8002 69.8.23.* 8002 netmask 255.255.255.255 0 0

This way, you can setup your new site that needs everyone access to on port 80. The other site, you can instruct the two users (i.e. only two ip addresses have access to it) that you need to access the site through www.the.domain.name.whatever:8002

Also, you will need to change the port that the site is running on to port 8002.

Change the access list too allow port 8002 through.

Hope it makes sense

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17313 by jmbmichael
Ok, I got another IP from my ISP. Now what command would I use in my ACL to allow everyone access to my new webserver but still have the restrictions on the old server.
More
18 years 1 month ago #17314 by Smurf
First you would need to add a line in the access list to allow anything to your new server on port 80

access-list acl_out permit tcp any host newexternalip eq www

Then you will need to add a static command to allow a Static Mapping between the external ip address and the new webserver on the inside

static (inside, outside) tcp newserverip newexternalip netmask 255.255.255.255 0 0

Hopefully should all work

(providing the new ip address is on the same subnet and that they just havn't issued you with any old ip address)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17315 by jmbmichael
thanks smurf, thats exactly what I needed.
More
18 years 1 month ago #17316 by jmbmichael
I tried running the static (inside, outside) tcp newserverip newexternalip netmask 255.255.255.255 0 0 command from the (config)# and I get the error invalid global port newexternalip
any ideas why
Time to create page: 0.144 seconds