How to add second web server behind pix 506e

I completely understand about the whole subnet issue. The only thing I can think of is our ISP is doing some of the routing(but who knows I'm completely lost at this point). But once I added the new static command and acl. I changed the dns settings of one of my old websites and pointed it to my new ip address 69.8.23.* and somehow from outside or my work I can get to my website on the new server. The only issue I am having now is that I cannot get to that website or server from within my company.

Wayne, you really seem to know what your talking about and I appreciate all the help. Can you think of any reason why I wouldn't be able to access my site from within my company.

This is the drawback of the statics and the Pix. You either have to use dns views to determine the IP based on the hostname and where you are coming from, or give the server a second name that is used only internally, or hit it via IP.

The Pix does not allow hairpinning unless you upgrade to version 7.x.

Hairpinning is traffic that does a 180 on the interface.

Your other option is to set up a dmz with the public block instead of using nat.

This is the drawback of the statics and the Pix. You either have to use dns views to determine the IP based on the hostname and where you are coming from, or give the server a second name that is used only internally, or hit it via IP.

How would I go about doing this?

The Pix does not allow hairpinning unless you upgrade to version 7.x.

I wasn't aware that this was allowed even in version 7 of the IOS. I have tried this and it failed. I'll look into it now though as i had to completely re-address my internal address to get around this problem when i installed a pix 535 in our core.

Your other option is to set up a dmz with the public block instead of using nat.

Yup, i mentioned this in a few posts back. Basically, if the ISP is routing to that new subnet directly to the IP Address on your Pix's external interface, then you can configure the static commands (still need them in order to go from the lower security to high security, i think?) and then perform NAT0 to a DMZ so the webserver will then have that external ip address assigned to the interface.

You can then configure the pix to route (or NAT) to this DMZ subnet and all the internal clients will be able to work ok.

I'm still not understanding how you have this to work as i couldn't do it in my test environment, i just couldn't get anything to go down the static translation since it was on a totally different subnet to your pix's ip. I would love it if some of the Pix guru's in here could explain that one to me ?

Anyhow, how does your internal DNS work ? if you have a split dns with outside address only for outside clients and your own internal dns for internal clients, you should be able to ensure that your clients just route directly to the internal address for the requests ?

Cheers

Wayne

P.S. Can you now post your complete pix code so i can take a look at it, wanna try and understand how you managed to get this working as i am puzzeled (might setup my test bed again at work)

This is the drawback of the statics and the Pix. You either have to use dns views to determine the IP based on the hostname and where you are coming from, or give the server a second name that is used only internally, or hit it via IP.

How would I go about doing this?

I'm assuming you are refering to dns views. Only works in bind 9 or later. You set up views that will give out different answers depending on where the request was received from. So if the request comes from outside, you would return the publically accessible address. If it came from the inside, you would return the internal address.

THe pix does have a dns fixup that can do some of this for you, but its functionality is limited and screws a lot of things up, so bind is best route.

I don't think M$ dns server can do this, but I'm not sure. I avoid M$ dns like the plague...

Pretty sure MS DNS doesn't do that functionality. As stated the pix could do it if it was configured to do so, that way you would have DNS with your Internal Addresses and then the pix would translate it if went to the outside. Unfortunatley i have never tried it so i cannot comment on it but it sounds like d_jabsd has tried it and it wasn't very good.

I think their are quite a few options that have been suggested, you just need to decide which is the best and easiest for yourself.

I'm gonna setup my test bed again to try and get it working in your config as its intreging me now

Good luck

Thanks, I was looking for this.