Skip to main content

How to add second web server behind pix 506e

More
18 years 1 month ago #17317 by Smurf
Hmmm, try swaping the ip addresses. If that fails can ya send me your complete config so i can take a look (remove all the passwords)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17318 by jmbmichael
that didn't work either, here is my config

Thanks for all the help in advance

PIX Version 6.3(3)
interface ethernet0 10full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname lonegrove-pix
domain-name lonegrove.k12.ok.us
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit tcp host 206.129.0.252 host 69.8.23.9 eq ssh
access-list acl_out permit tcp host 206.129.0.252 host 69.8.23.9 eq www
access-list acl_out permit tcp host 206.129.0.252 host 69.8.23.9
access-list acl_out permit tcp host 206.129.1.23 host 69.8.23.9 eq ssh
access-list acl_out permit tcp host 206.129.1.23 host 69.8.23.9 eq www
access-list acl_out permit tcp host 206.129.1.23 host 69.8.23.9 eq 2938
access-list nonat permit ip 172.19.0.0 255.255.0.0 172.16.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 69.8.1.37 255.255.255.252
ip address inside 172.19.2.2 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-POOL 172.16.100.
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.19.0.11 69.8.23.9 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 69.8.1.38 1
route inside 172.19.0.0 255.255.254.0 172.19.2.1 1
route inside 172.19.4.0 255.255.254.0 172.19.2.1 1
route inside 172.19.250.0 255.255.255.0 172.19.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor n2h2 host 172.19.0.10 port 4005 timeout 5 protocol TC
P
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 172.19.0.0 255.255.0.0 inside
telnet timeout 15
ssh 208.145.229.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
vpdn group LG-PPTP-VPN accept dialin pptp
vpdn group LG-PPTP-VPN ppp authentication pap
vpdn group LG-PPTP-VPN ppp authentication chap
vpdn group LG-PPTP-VPN ppp authentication mschap
vpdn group LG-PPTP-VPN ppp encryption mppe auto
vpdn group LG-PPTP-VPN client configuration address local VPN-POOL
vpdn group LG-PPTP-VPN client configuration dns 172.19.0.5 164.58.253.10
vpdn group LG-PPTP-VPN pptp echo 300
vpdn group LG-PPTP-VPN client authentication local
vpdn username cpsiadm password
vpdn username mas password
vpdn username tom password
vpdn username scott password
vpdn username regan password
vpdn enable outside
terminal width 80
Cryptochecksum:
: end
lonegrove-pix(config)#
More
18 years 1 month ago #17335 by Smurf
Hi there,

Just a few things that are confusing me at the moment.

1. static (inside,outside) 172.19.0.11 69.8.23.9 netmask 255.255.255.255 0 0

I thought that the syntax of this command was -- static (inside, outside) outsideip insideip netmask thenetmask

2. static (inside,outside) 172.19.0.11 69.8.23.9 netmask 255.255.255.255 0 0

The 69.8.23.9 isn't within the correct range for you external interface so i am struggling to see how this will work ?

If no-one else confirms these two points, i will try and get chance to do a little digging :)

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17341 by d_jabsd

Hi there,

Just a few things that are confusing me at the moment.

1. static (inside,outside) 172.19.0.11 69.8.23.9 netmask 255.255.255.255 0 0

I thought that the syntax of this command was -- static (inside, outside) outsideip insideip netmask thenetmask


You are correct- the format is - static (inside,outside) outsideip insideip netmask insidenetmask

2. static (inside,outside) 172.19.0.11 69.8.23.9 netmask 255.255.255.255 0 0

The 69.8.23.9 isn't within the correct range for you external interface so i am struggling to see how this will work ?

If no-one else confirms these two points, i will try and get chance to do a little digging :)

Cheers


This might work if the proper routing is in place, but unfortunately, I don't have time to test the scenario to find out. I have always used additional address from the same subnet.
More
18 years 1 month ago #17343 by Smurf
Hi jmbmichael,

I have done some reading up on stuff and I am more convinced that the issue is with the extra address you have got.

Basically, from the config you have got 69.8.1.37 255.255.255.252 on the external interface with 69.8.1.38 as the default gateway. The 255.255.255.252 subnet mask will only allow two possible host address which you are now using.

The additional address, cannot be added to your pix's external interface through the static statement because its not on the same subnet so there is no way that with IP Routing the traffic will ever reach your address.

You could do with speaking with the ISP to find out how you can resolve this in order to have two hosts address on the same subnet for you to get this working.

The only other way around it is to either setup on of the hosting sites (that you limit to the two IP Addresses) onto a different port and let the users know that its accessible via a different port to port 80.

If you have the resources then you can let the host headers be handled by something like ISA Server which can then redirect to different servers.

If any of this doesn't make any sense then please let me know.

Cheers

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17345 by jmbmichael
what do you mean by The 69.8.23.9 isn't within the correct range for you external interface. . . .
Time to create page: 0.136 seconds