- Posts: 1390
- Thank you received: 0
How to add second web server behind pix 506e
what do you mean by The 69.8.23.9 isn't within the correct range for you external interface. . . .
On your external interface you have configured a subnet mask of 255.255.255.252. This gives you 4 address seperated by that subnet, only two of which are routable.
69.8.23.9/30 would give you a completly different subnet which therefore isn't addressable on the current ip which is on your interface.
Its basically a way of dividing down your network into sections which all then need to be routed. You have a networkID and a HostID portion of the address range.
I would recommend taking a quick look at the Subnetting sections on this site to help you understand this concept www.firewall.cx/ip-subnetting-intro.php
Hope it helps ya.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
- jmbmichael
- Topic Author
- Offline
- New Member
- Posts: 13
- Thank you received: 0
- jmbmichael
- Topic Author
- Offline
- New Member
- Posts: 13
- Thank you received: 0
access-list acl_out permit tcp any host newexternalip eq www
static (inside, outside) tcp 69.8.23.* 172.19.2.5 netmask 255.255.255.255 0 0
and the outside world sees my server as 69.8.23.* but I see it through internet explorer or ping it. But I cannot ping the other web server either so I'm guessing thats just another acl command. Why would I not be able to access it by ip address.
I see what your saying about the 69.8.23.9/30 not being the correct subnet, but somehow those ip addresses are able to access my 69.8.23.9 address. And the isp has given me a group of /30 ip addresses to use for other servers.
Hmm, thats ok if they have given you a new 30bit address space but struggling to see how its going to route to the pix. We do something similar at work but our ISP routes the traffic through our PIX because we are doing NAT0 directly to a zone on the Pix, therefore all the routing is handled directly by the pix using the subnet thats on our external interface.
but somehow those ip addresses are able to access my 69.8.23.9 address[qoute]
Can you expand on this statement a little ? What do you mean those ip address are able to access the .9 address ? Which IP Addresses do you mean ?
I added the following commands to my pix
access-list acl_out permit tcp any host newexternalip eq www
static (inside, outside) tcp 69.8.23.* 172.19.2.5 netmask 255.255.255.255 0 0
and the outside world sees my server as 69.8.23.* but I see it through internet explorer or ping it. But I cannot ping the other web server either so I'm guessing thats just another acl command. Why would I not be able to access it by ip address.
Sorry but don't quite understand this statement ? 69.8.23.* is the new address and you can now access this from outside ? Have you removed the other static command ?
Cheers and please bere with me as i am intrigued with this now.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
I have set this up on a Pix 501 and configured a Router to simulate your external link. I am unable to talk to the 69.8.23.9 address so i am not quite sure how you have managed to talk to them.
Here is the issue;
Your external ip address is on the 69.8.23.36/30 network (69.8.23.37). You are trying to get the 69.8.23.8/30 subnet on this interface also. This just aint going to work due to basic IP Subneting and routing.
That said, we do something very similar in our environment which may work if you wanted to do it (and also if the pix 506e supports it as i cannot remember what interfaces it has). Anyhow, we have another subnet configured on our external interface and the ISP route the traffic to that subnet direct to the Pix interfaces ip address (i.e. in your case it would 69.8.1.37)
We then NAT0 our new subnet through to another interface off our pix, the servers in that DMZ have that address physcially assigned to them.
This may work but it would require you setting up the new address range into the DMZ which will also need routing changes so hosts inside can get to them.
Unless someone else corrects me, i am fairly sure this new address range is never going to work.
I would suggest speaking with your ISP and getting a bigger range with a minimum of 255.255.255.248 which will give you 6 hosts. Then you can setup the statics ok as the addresses will be routable over the internet.
CHeers
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
- jmbmichael
- Topic Author
- Offline
- New Member
- Posts: 13
- Thank you received: 0
Wayne, you really seem to know what your talking about and I appreciate all the help. Can you think of any reason why I wouldn't be able to access my site from within my company.