PIX with H &; S VPN DMZ hosting web server to the hub
Ok
Heres a problem which I think would be quite common for these even remotely conscious of security. Unfortunately, my knowledge of the PIX (as well as other Cisco devices) is still in phase of 'growth '.
So, here's the problem. I have a WAN put in place with PIXen and SonicWalls, we are set up in a design essentially Hub and Spoke (fine ok so it is partially meshed). We recently decided to pull the trigger on getting a 'real' web site and everything went relatively well that getting up and rolling. (even with my notice of 3 days/deadline), but here's the problem: I set up the web server on the DMZ to the hub pix, and I figured out (the easy part) how to set things so in the Home Office, people can connect to the web server by using the internal address, but I don't know what to do for people in remote offices with VPN home connections. I tried to define static routes, I tried to add the DMZ to the VPN trigger, I tried to do both of the last things together, and I checked that I have rules allowing traffic to the VPN outside the DMZ on the inside. So, what else can I I get?
I have no problem by configuring a PIX for all basic ups and VPN even at this stage, I can do most of it through the CLI (even if I still want to do more through the PDM). My biggest stumbling block on the PIX has so far was when I actually involve this pesky DMZ...
I actually two PIX in my office, two for my network domestic (one for my place in the States and one for my place in the Japan), so if you can help me, I'll be the two problems and do not forget to give a rating of excellent reviews!
so I guess that leaves me to the place where I scream...
Help!
and I humbly await your comments.
the current pix configuration should look at sth like this,
IP access-list 101 permit
IP access-list 110 permit
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac superset
myvpn 10 ipsec-isakmp crypto map
correspondence address card crypto myvpn 10 110
card crypto myvpn 10 set by peer
superset of myvpn 10 transform-set card crypto
interface myvpn card crypto outside
ISAKMP allows outside
ISAKMP key
address netmask 255.255.255.255isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
now, to add dmz on top of the existing vpn, add the following to the pix (and apply the same concept on the remote end device)
access-list 102 permit ip
access-list 110 permit ip
nat (dmz) 0 access-list 102
Tags: Cisco Security
Similar Questions
-
Hello world
First of all thanks for the invaluable information this community offers technicians everywhere... I'm newish to IPSEC VPN and I have a question.
I have a DMZ PATed host to a public IP address. I've set up an IPSEC tunnel (with an external body on my outside interface) to allow this host reach a host computer in this organization. The VPN is not come. I am told to implement NAT exemption for the DMZ host IPSEC traffic to the host outside. Kindly, how can I do this?
Kind regards
Mumo
OK, no problem :)
for 8.2 (5), you can try the following config:
object network DMZ-net 172.16.1.0 255.255.255.0object network Remote-net 10.1.1.0 255.255.255.0access-list asa_dmz_nat0_outbound extended permit ip object DMZ-net object Remote-netnat (DMZ) 0 access-list asa_dmz_nat0_outbound
-
second Web server on the DMZ not visible outside
With the help of a PIX 515e
I have several Web servers in the DMZ, the first web server and the mail server are set up with the port mapping for the PIX outside IP address of the interface.
The second and third (inside interface) of the Web servers are configured with static mappings and access lists.
I can see the first n the mail very good server webserver, but I can not see servers in second or third.
What have I done wrong?
I suggest you analysze traffic with the command to 'capture' PIX and sniff traffic on the DMZ and outside traffic.
Check if packets arrive to the external interface, if it reaches the web server and is at - it a response.
example of
IP access-list 120 allow any HOST 207.236.60.35
capture the access-list 120 vpncap OUTSIDE interface
See the access-list 120 retail vpncap capture
or
https://PIX-IP-address/capture/vpncap [/pcap]
To remove the capture:
No vpncap capture
sincerely
Patrick
-
Cannot start web server on the executable file
Hello
We have a problem with a Web server - we cannot get to initialize the help of nodes of property or the ini on a compiled executable file.
As part of our application, we are starting the Web server to publish a status page to be read remotely. This works very well when we are running in the development environment and also when we run an executable a PC with installed development environment, however it will not boot on a PC with just the runtime installed.
I have attached some of the code that functionally does exactly the same thing in our main application. I used this as my Tester code and built in an exe while trying a lot of different things to fix.
When executing:
- The code will sit in the while loop until I press stop.
- Web server: Active Server = FALSE
- Out error = ERROR No.
In the full application the while loop waits a few seconds before throw an error if the server is not started. In this example, I can let the loop running for awhile without leave. Normally, the boot time is<50ms when="">50ms>
It's the ini file to the executable file:
[WebTest]
server.app.propertiesEnabled = True
Server.OLE.Enabled = True
server.tcp.serviceName = "My Server computer/VI"
server.vi.propertiesEnabled = True
WebServer.Enabled = True
WebServer.TcpAccess = "' + * '"
WebServer.ViAccess = "' + * '"
DebugServerEnabled = False
DebugServerWaitOnLaunch = FalseAnd it is the Web server configuration file:
ErrorLog "$LVSERVER_ROOT/logs/error.log".
LogLevel 3
The default server name
DocumentRoot "$LVSERVER_ROOT /... /.. '. "/ www".
Listen 8000
ThreadLimit 10
TypesConfig "$LVSERVER_ROOT/mime.types»
DirectoryIndex index.html
LoadModulePath "$LVSERVER_ROOT/modules '" $LVSERVER_ROOT/LVModules "" $LVSERVER_ROOT /... ".
LoadModule LVAuth lvauthmodule
LoadModule LVSnapshot lvsnapshotmodule
LoadModule LVRFP lvrfpmodule
LoadModule dir libdirModule
LoadModule copy libcopyModuleAddHandler LVAuthHandler
AddHandler LVSnapshotHandler .snap
AddHandler LVRFPHandlerAddHandler dirHandler
AddHandler copyHandler"CustomLog"$LVSERVER_ROOT/logs/access.log"'%%u %t \"%r\ hour' % > s %b.
KeepAlive on
KeepAliveTimeout 60
Timeout 60As can side note, anyone tell me where the $LVSERVER_ROOT variable is configured?
I tried the things:
- Copy a new default configuration file before the entry into force
- Writing a predefined file (encoded) before initializing config
- Definition to root before initializing directory (it actually generates an error because the server is not active...)
- Set WebServer.Active = TRUE several times inside the while loop
- Toggle the web server in the ini file
System:
- LabVIEW 2010
- PC with Windows 7 running
Thanks for any help, because it makes me crazy slow!
Ben
Hi Marco, thanks for the reply.
I have this guide was reviewed previously and had done all that he but a small section who gave me a hint of something to try and I have solved my problem, so thank you!
If anyone is interested, here's the problem:
The directive DocumentRoot folder in the config must exist or the Web server cannot be started. So basically, make sure that the file points to a folder that exists!
This leaves two small annoying problems if - you can't see if the file exists (and then create it) before starting the Web server, because you can not query the path to the folder without the Web server running.
AND
You can't really define the configuration programmatically file as parameters from the file are responsible for execution, not on the start Web server.
The result of this is that the config file and the folder root document should be created (and corresponding of course...) when the executable is built / installed on the system. Not a massive headache, but it means do not forget to put things in the build specification and do not rely on software to do the job at startup
-
Copying files from a web server to the VMFS data store
Hi everyone I have a little trouble working it.
I say a file on a Web server http://webserver/important.txt and I want to copy this file in a local data store. I am able to copy the file from the Web server to the server I'm running PowerCLI, and then to the data store, but I can't work on how to copy directly.
Any ideas?
As far as I know, the Copy-DatastoreItem cannot handle this. The cmdlet requires a path to the Item parameter.
You will need to first create a local file and then copy in the data store.
-
ASA5500 - anyconnect VPN not access Web server in DMZ
I am at a loss. I enclose my config. I can access DMZ from within the network, but cannot access DMZ of VPN.
Any help would be great.
Rich
Also have question access to management 0/0 (192.168.1.1) of the Interior of the E0/1 (192.168.2.0) network
For your VPN - DMZ problem, the following is the most likely cause of your problem:
nat (inside,dmz) source static obj-dmz obj-dmz destination static obj-vpnpool obj-vpnpool
You should have in place:nat (outside,dmz) source static obj-vpnpool obj-vpnpool static obj-dmz obj-dmz
That's because VPN clients appear to come from the outside (to some purposes NAT) and the need to be exempt from NAT to access the resources of the DMZ. Management problems, the problem is asymmetric routing. When your packages arrive on the management UI, the ASA will try to send back traffic (starting with the 3-way TCP transfer protocol which will fail) through the inside interface but that won't work because ASA helped him, the source of the acknowledgement of receipt would SAA within the interface IP address, not the address of interface management in which the SYN sent. That's why most of the people have not historically used the management interface to ASA unless you have a real out-of-band network for management. Cisco recently introduced a separate fair management routing table, but you need to switch to 9.5 (1) or later to take advantage of that. -
DMZ web server->; inside the database server
Suppose that a network topology looks like this:
A PIX with 3 interfaces:
interface (private public static IP 10.10.10.1) interface (public static IP of 69.110.38.35) interface (static IP private address of the 30.30.30.1) --------------------------------------------
The internal network has a {server} with the IP address of 10.10.10.2.
The DMZ has a {web server} with the IP address of 30.30.30.2.
I will welcome external guests (outside) access to the web server (30.30.30.2) via port 80.
This web server access turn the database server (10.10.10.2).
Assume that all other commands are issued. Then, I'll create an access list that allows server WWW DMZ to communicate with inside the database server.
access-list dmz-to-inside permit tcp host 30.30.30.2 host 10.10.10.2 eq 1521
Should I publish the following, too:
(1) access-list dmz permit tcp host 30.30.30.2 no matter what 80 eq
(2) access-group in interface dmz dmz
(3) static (inside the dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
xlate clear 4)
If so, what each of them do?
Thank you for helping.
Scott
1. Yes, the static statement "10.10.10.0 static (inside, dmz) 10.10.10.0 netmask 255.255.255.0" will disable NAT. Although it is not necessary to disable nat, however, it saves money and simple to manage. the reason for this is the traffic between the dmz and inside is private, there is therefore not necessary to apply the public ip address.
2 pix receives the package intended to 30.30.30.2 10.10.10.2. PIX examines the static statement and based on the static above statement, pix will not nat package (i.e. pix will leave the soruce address be) and send it to 30.30.30.2 via the interface of the demilitarized zone.
for example
original package - source 10.10.10.2, destination 30.30.30.2
After pix - source 10.10.10.2, destination 30.30.30.2
3. the "Clear xlate" command must be issued whenever the nat/global or static has been added/deleted/modified. This command is to force the pix to clear the existing ip translation.
for example, before you add the command "static 1.1.1.1 (indoor, outdoor) 192.168.1.100 netmask 255.255.255.255", the pix may already have an ip 192.168.1.100 translation (it might come from the nat/global). now, after you apply the static command, the pix will keep the existing translation for a certain period time. 'clear xlate' is needed to erase the old translation and so to activate the new static statement.
-
Cannot access the Web server in the DMZ from the inside using IP global
Hi all
I hope it's a very simple question.
I'm running a PIX 515 firewall v6.3. I set up a Web server in my DMZ and use static NAT for re-branded it overall static IP address. Access from the outside of the demilitarized zone works remarkably well. I can access inside the interface Web site using the internal IP, but I can't access it from inside interface using the global IP are entrusted to him.
Is there a particular reason why this would not be allowed? My feeling was that the request would be forwarded via the external interface (as it is a global IP address) and then be bounced back by my sense of the ISP the request would come to the new external interface (as the static NAT is applied to the external interface).
However if I try and access the global IP from my inside interface, then the browser can not find the server.
can someone explain why this is so? Any information would be appreciated.
see you soon,
Wayne
---------------------------------
6.3 (3) version PIX
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif dmz security50 ethernet2
hostname helmsdeep
domain p2h.com.sg
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
no correction protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
No fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
acl_out list access permit tcp any host 203.169.113.110 eq www
access-list 90 allow the host tcp 10.1.1.27 all
pager lines 24
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
IP address outside pppoe setroute
IP address inside 192.168.1.1 255.255.255.0
dmz 10.1.1.1 IP address 255.255.255.0
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address dmz
location of PDM 202.164.169.42 255.255.255.255 inside
location of PDM 202.164.169.42 255.255.255.255 dmz
location of PDM 10.1.1.26 255.255.255.255 dmz
location of PDM 10.1.1.26 255.255.255.255 outside
location of PDM 172.16.16.20 255.255.255.255 outside
location of PDM 192.168.1.222 255.255.255.255 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 1 10.1.1.101 - 10.1.1.125
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
NAT (dmz) 0-list of access 90
NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz, external) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
Access-group acl_out in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.222 255.255.255.255 inside
enable floodguard
string fragment 1
Console timeout 0
Terminal width 80
Code v6 pix or less don't let you have traffic "back" or return flow via the same interface on which it was sent. Having also your bounce back off of an external server traffic is never a good idea, because you won't be able to distinguish which and rogue attacks by spoofing someone outside your network.
Since you are using pix 6.3 code, you may be able to outside the NAT. Add this static to your config:
static (dmz, upside down) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it's demilitarized zone, inside inside, dmz.
I would like to know if it works.
-
Another discussion to see a comments from the host Web server
Howdy,
I ran into something really puzzled. I have windows 7 host machine and two VM. Ubuntu 11.04 is one the other is RHEL7. The fundamental problem is that, since my host machine, I see an Ubuntu apache server and I do not see the server apache RHEL5.8.
Details. I'm running 8.04 vmware and have reinstalled vmware-tools on every machine after the upgrade. I'm running an internal NAT. The host IP is 192.168.2.1. The Ubuntu IP is 192.168.2.128. RHEL 192.168.2.129. The problem is between the host and the 192.168.2.129 box of RHEL. What's weird, is that I do not see my server apache RHEL host, but of the terminals on both boxes, I can ping another machine by IP address and since I edit/etc/hosts(buried in c:\windows\system32\drivers) I can ping between host and guest by the url "myapp.local" as well. The period of INVESTIGATION were determined by ipconfig and ifconfig on the host and the guest respectively. I watched netstat on the client and do not seem to have anything httpd listens on port 80 on the guest. I'm really at a loss. The Ubuntu box configured the same way works, but the RHEL box fails.
I don't know if I listed everything that could be of use here, but if someone could chime in with ideas I would appreciate it. In brief
(1) ifconfig shows URL
(2) pings may be
(3) dns is defined in/etc/hosts
(4) proxy ignore is set in firefox on the host and the proxy reviews configuration to avoid transmission by proxy problems
(5) web page expires, the server is invisible
(6) newspapers on the comment server don't watch not demand of the host being considered.
Thank you
Danny
Based on what you said in the OP I would say that you need to properly configure your firewall on the client to allow WWW (HTTP). If not that something is still not set up correctly and very probably not really a question of VMware.
-
How to separate the application server and web server on the level of physical servers?
I want to separate the application server and web server: locate on different hosts. Generally, we use Weblogic ACE. In the future maybe use Apache Tomcat as web server.
Example,
192.168.1.10 - as - Weblogic application server / module EJB
192.168.1.11 - as a Web server - Weblogic / WEB module (can be - Apache Tomcat)
Impossible to find examples and resources about it on google.
Thank you.So, if we're looking for a subject such as:
try { someEJB = context.lookup("ejb/Videotheek#model.logic.Videotheek"); } catch (NamingException e) { e.printStackTrace(); }
If the EJB application is clustered in an object of type ' ClusterableRemoteRef (-4005477377232786958S: 172.31.0.107: [7003,7003,-1,-1,-1,-1,-1]: [8351443287261246917S:172.31.0.107:[7002,7002,-1,-1,-1,-1,-1]:ScriptDomain:VideotheekServer1/292])/289 172.31.0.107:ScriptDomain:VideotheekServer2 - 4005477377232786958S:172.31.0.107:[7003,7003,-1,-1,-1,-1,-1]:172.31.0.107:ScriptDomain:VideotheekServer2/289,-' is returned, which is part of the wlfullclient.jar.)
You can try using the EJB or the annotation of the resource (do not know with certainty if Tomcat is favorable). For annotations work, you must use version servlet 2.5 or later. JNDI research work in a general such as for example Tomcat servlet container.
-
Options of the Web server for the Installation of the APEX on Oracle Database 10g
Hello. We are installing an APEX on a test server that runs the Oracle 10 g 10.2.0.4.0 database. As I understand it there are two Web Server Options:
(1) oracle HTTP Server (Apache)
(2) oracle Application Express listener
Do both of these jobs for Oracle Database 10 g 10.2.0.4.0? I thought I remember reading somewhere that only the Oracle Application Express listener only works with version 11 database or higher.Do both of these jobs for Oracle Database 10 g 10.2.0.4.0?
Yes.
I thought I remember reading somewhere that only the Oracle Application Express listener only works with version 11 database or higher.
No, only the restriction (except 10 g XE) applies to the third option of web server that you have not mentioned: Embedded PL/SQL Gateway (EPG), such as discussed in your previous thread: + {: identifier of the thread = 2201975} +.
Requirements for the listener of the APEX
{forum: id = 858} forum
-
Setting up Web server behind the WRT300N
I'm trying to set up a webserver behind a WRT300N. I followed the article Linksys at the bottom of this post, to the letter, but its still does not. I have a cable modem connected to the WRT300N comcast, and then I have my Web server connected to the internet through the WRT300N wireless. I assigned a static IP address to my web server (192.168.1.2), and I also put in place the router before port 80 to the web server (XP pro). However, when I type the public ip address in a web browser, it can't find my server. I know that the web server works because I seem to be my home page when I type http://localhost in the local web browser. Any ideas? What Miss me? http://www3.nohold.NET/noHoldCust56/Prod_6/KnowledgePortal/KPScripts/amsviewer.asp?docid=e86f4f1c3a98416abc78586d4f544132_KB3699_EN_070208_v1.XML&amsstatsid=4666791
Hello
Have you tried access you a public IP of someone elses PC, IE. a single step on your own network?
I had / have a problem try accessing one of my friends unless I have use someone elses internet connection. I could access only web interface of my modem otherwise.
dRdoS7
PS. don't know why this is the case, others may have an idea.
EDIT: What port no.. Do you use? They do like this:
'http://my_public_ip:access_port '?
Sorry, read your message again, try another port such as 8080 number
-
The password has been reset, but we cannot go beyond the server request the user name and password to change the other settings. We have not had any problems to set up the printer to the computer and we are able to print and use the printer. We just need to find EWS to change other settings. We use Windows 7.
Hi there @Mariko23
Welcome to the forums,
I understand the SAP you request a user name and password and you're looking to reset the built-in Web server to access accordingly.
I suggest try to restore default network settings on the device, which should help you.
On the printer, select Setup, network configuration, network by default, Yes, restart the printer.
Good luck, I hope this helps
-
From web server to the Captivate of HTML5 file variables
I publish a quiz in Captivate as HTML5 and host it on a Web site. I would like to know how I can move my site to the HTML5 based Captivate quiz data.
So far, I have had success are given on captivate by having the file POST the results of a quiz finished in a RESTful way. However, I have not had success put data in the file. I would like to transmit information such as the user ID and the ID of the quiz, maybe same position current slide so that I can match quiz information to my database. I'm not specifically looking for a solution to the user ID, ID quiz, etc. because I can be creative, in this regard, I just want to know if others have been able to define variables when the Captivate file loading.
I tried a definition of the variables in two ways:
-Declare the variables with javascript, ajax, load the page in a div. Because of the problems of dependence from the captivate file uses relative paths to the assets folder.
-Change the published html file by adding the javascript variables, this returns an error message saying that I can't replace the existing captivate variable
-Add js variables in the init function, this has no effect.
Simply pass the username and id I used the following.
Note that the URL contains query string parameters that correspond to variables in captivate
http://mywebsite/course/index.html?cpQuizInfoStudentID=IDHere&cpQuizInfoStudentName=Studen tNameHere
Another way to use JavaScript to read the query string and the variable of the entitlement in CP for query string values. I remember reading some more detail, but can't remember where.
It may be useful
Luke
-
Web server and the apex running on the same machine - possible conflict port 8080
Hi guys,.
I installed Apache Tomcat and currently in the process of installing Oracle 11 G in the same machine.
The tomcat uses port 8080 and I understand other installs, the APEX uses 8080 as well.
Is there way after installing Oracle 11 G database XE, stop APEX so it is not in conflict with the use of 8080 Tomcat? I have no use for APEX at this point you want to stop if possible.
Alternatively, it can be configured to use a different port?
Thank you very much.You can do either, stop it or change the port. So sad that you said that you «have no use for Apex...» ». :(
What gateway do you use for Apex? What is the EPG, OSH or the listener of the Apex? If you use the EPG, there is an order any structure/API for it. Here are a couple that you can run a SQLPlus session:
SELECT DBMS_XDB.GETHTTPPORT FROM DUAL; EXEC DBMS_XDB.SETHTTPPORT(port); For example: EXEC DBMS_XDB.SETHTTPPORT(8080); OR EXEC DBMS_XDB.SETHTTPPORT(8181);
If you use OSH then you go to your OHS/Apache Directory and find the path to the OPM and issue commands to start where your stop. If it's the listener of the Apex with Glassfish, then you go to the console of administration of Glassfish and stop your deployment of Apex from there. I'll leave you the specifications.
Earl
Maybe you are looking for
-
Rental movies keep disappearing! Frustrating!
I rent a movie to watch later! (example 1): I'm going tonight and it's there, but I want to watch it later and he says I "29" left! and the next day he disappeared. (example 2): in "my movies", it shows a rental, but there is nothing in there! (examp
-
MSN keeps loading after I log out hotmail. How to stop what is happening
Whenever I sign my Hotmail account MSN support its news page or cover page. How to stop what is happening. I want to go directly to my homepage (google), immediately after I disconnect Hotmail
-
Google Chrome would provide drop-down list prompt you for this information that I started to enter the information. I would just like to point out the correct prompt and press enter and the information must be entered in the online form.
-
I have an old version of iMovie - ' 09, version 8.0.6. (821), who nonetheless worked for several projects. I am now wanting to just download a short clip - long less than 1.30 min - to give subtitles. Can't seem to be able to import it. I click file,
-
HP G72 - b00: which hard drive on laptop HP G72t-b00 interface?
I have a laptop HP G72t - b00 CTO with a few updates that I bought in December 2010. I considered buying an SSD for her to help performance (it keeps well enough yet, but I would like an additional performance for a key task). I read online somewhere