second Web server on the DMZ not visible outside
With the help of a PIX 515e
I have several Web servers in the DMZ, the first web server and the mail server are set up with the port mapping for the PIX outside IP address of the interface.
The second and third (inside interface) of the Web servers are configured with static mappings and access lists.
I can see the first n the mail very good server webserver, but I can not see servers in second or third.
What have I done wrong?
I suggest you analysze traffic with the command to 'capture' PIX and sniff traffic on the DMZ and outside traffic.
Check if packets arrive to the external interface, if it reaches the web server and is at - it a response.
example of
IP access-list 120 allow any HOST 207.236.60.35
capture the access-list 120 vpncap OUTSIDE interface
See the access-list 120 retail vpncap capture
or
https://PIX-IP-address/capture/vpncap [/pcap]
To remove the capture:
No vpncap capture
sincerely
Patrick
Tags: Cisco Security
Similar Questions
-
Cannot access the Web server in the DMZ from the inside using IP global
Hi all
I hope it's a very simple question.
I'm running a PIX 515 firewall v6.3. I set up a Web server in my DMZ and use static NAT for re-branded it overall static IP address. Access from the outside of the demilitarized zone works remarkably well. I can access inside the interface Web site using the internal IP, but I can't access it from inside interface using the global IP are entrusted to him.
Is there a particular reason why this would not be allowed? My feeling was that the request would be forwarded via the external interface (as it is a global IP address) and then be bounced back by my sense of the ISP the request would come to the new external interface (as the static NAT is applied to the external interface).
However if I try and access the global IP from my inside interface, then the browser can not find the server.
can someone explain why this is so? Any information would be appreciated.
see you soon,
Wayne
---------------------------------
6.3 (3) version PIX
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif dmz security50 ethernet2
hostname helmsdeep
domain p2h.com.sg
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
no correction protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
No fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
acl_out list access permit tcp any host 203.169.113.110 eq www
access-list 90 allow the host tcp 10.1.1.27 all
pager lines 24
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
IP address outside pppoe setroute
IP address inside 192.168.1.1 255.255.255.0
dmz 10.1.1.1 IP address 255.255.255.0
no failover
failover timeout 0:00:00
failover poll 15
No IP failover outdoors
No IP failover inside
no failover ip address dmz
location of PDM 202.164.169.42 255.255.255.255 inside
location of PDM 202.164.169.42 255.255.255.255 dmz
location of PDM 10.1.1.26 255.255.255.255 dmz
location of PDM 10.1.1.26 255.255.255.255 outside
location of PDM 172.16.16.20 255.255.255.255 outside
location of PDM 192.168.1.222 255.255.255.255 inside
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 1 10.1.1.101 - 10.1.1.125
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
NAT (dmz) 0-list of access 90
NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz, external) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
Access-group acl_out in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.222 255.255.255.255 inside
enable floodguard
string fragment 1
Console timeout 0
Terminal width 80
Code v6 pix or less don't let you have traffic "back" or return flow via the same interface on which it was sent. Having also your bounce back off of an external server traffic is never a good idea, because you won't be able to distinguish which and rogue attacks by spoofing someone outside your network.
Since you are using pix 6.3 code, you may be able to outside the NAT. Add this static to your config:
static (dmz, upside down) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0
You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it's demilitarized zone, inside inside, dmz.
I would like to know if it works.
-
PIX with H &; S VPN DMZ hosting web server to the hub
Ok
Heres a problem which I think would be quite common for these even remotely conscious of security. Unfortunately, my knowledge of the PIX (as well as other Cisco devices) is still in phase of 'growth '.
So, here's the problem. I have a WAN put in place with PIXen and SonicWalls, we are set up in a design essentially Hub and Spoke (fine ok so it is partially meshed). We recently decided to pull the trigger on getting a 'real' web site and everything went relatively well that getting up and rolling. (even with my notice of 3 days/deadline), but here's the problem: I set up the web server on the DMZ to the hub pix, and I figured out (the easy part) how to set things so in the Home Office, people can connect to the web server by using the internal address, but I don't know what to do for people in remote offices with VPN home connections. I tried to define static routes, I tried to add the DMZ to the VPN trigger, I tried to do both of the last things together, and I checked that I have rules allowing traffic to the VPN outside the DMZ on the inside. So, what else can I I get?
I have no problem by configuring a PIX for all basic ups and VPN even at this stage, I can do most of it through the CLI (even if I still want to do more through the PDM). My biggest stumbling block on the PIX has so far was when I actually involve this pesky DMZ...
I actually two PIX in my office, two for my network domestic (one for my place in the States and one for my place in the Japan), so if you can help me, I'll be the two problems and do not forget to give a rating of excellent reviews!
so I guess that leaves me to the place where I scream...
Help!
and I humbly await your comments.
the current pix configuration should look at sth like this,
IP access-list 101 permit
IP access-list 110 permit
Global 1 interface (outside)
(Inside) NAT 0-list of access 101
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac superset
myvpn 10 ipsec-isakmp crypto map
correspondence address card crypto myvpn 10 110
card crypto myvpn 10 set by peer
superset of myvpn 10 transform-set card crypto
interface myvpn card crypto outside
ISAKMP allows outside
ISAKMP key
address netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
now, to add dmz on top of the existing vpn, add the following to the pix (and apply the same concept on the remote end device)
access-list 102 permit ip
access-list 110 permit ip
nat (dmz) 0 access-list 102
-
DMZ web server->; inside the database server
Suppose that a network topology looks like this:
A PIX with 3 interfaces:
interface (private public static IP 10.10.10.1) interface (public static IP of 69.110.38.35) interface (static IP private address of the 30.30.30.1) --------------------------------------------
The internal network has a {server} with the IP address of 10.10.10.2.
The DMZ has a {web server} with the IP address of 30.30.30.2.
I will welcome external guests (outside) access to the web server (30.30.30.2) via port 80.
This web server access turn the database server (10.10.10.2).
Assume that all other commands are issued. Then, I'll create an access list that allows server WWW DMZ to communicate with inside the database server.
access-list dmz-to-inside permit tcp host 30.30.30.2 host 10.10.10.2 eq 1521
Should I publish the following, too:
(1) access-list dmz permit tcp host 30.30.30.2 no matter what 80 eq
(2) access-group in interface dmz dmz
(3) static (inside the dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
xlate clear 4)
If so, what each of them do?
Thank you for helping.
Scott
1. Yes, the static statement "10.10.10.0 static (inside, dmz) 10.10.10.0 netmask 255.255.255.0" will disable NAT. Although it is not necessary to disable nat, however, it saves money and simple to manage. the reason for this is the traffic between the dmz and inside is private, there is therefore not necessary to apply the public ip address.
2 pix receives the package intended to 30.30.30.2 10.10.10.2. PIX examines the static statement and based on the static above statement, pix will not nat package (i.e. pix will leave the soruce address be) and send it to 30.30.30.2 via the interface of the demilitarized zone.
for example
original package - source 10.10.10.2, destination 30.30.30.2
After pix - source 10.10.10.2, destination 30.30.30.2
3. the "Clear xlate" command must be issued whenever the nat/global or static has been added/deleted/modified. This command is to force the pix to clear the existing ip translation.
for example, before you add the command "static 1.1.1.1 (indoor, outdoor) 192.168.1.100 netmask 255.255.255.255", the pix may already have an ip 192.168.1.100 translation (it might come from the nat/global). now, after you apply the static command, the pix will keep the existing translation for a certain period time. 'clear xlate' is needed to erase the old translation and so to activate the new static statement.
-
PHP form script is missing from the web server or PHP is not properly configured on your web hosting provider. Help - I get this message on my site when the form is filled out and you press send... Check if the form PHP script has been downloaded correctly, contact your host about the configuration of PHP.
Hi Graham,
If you, please add your site to this link ( http://my-site.com/scripts/form_check.php ) and make sure that all green checkmarks are appearing. If they don't, let us know what errors you seem to receive and include the link to your site.
In addition, check out this guide on the forums of Muse troubleshooting: Troubleshooting Muse form used on the servers of third party Widgets
I hope this helps!
Emily
-
Cannot start web server on the executable file
Hello
We have a problem with a Web server - we cannot get to initialize the help of nodes of property or the ini on a compiled executable file.
As part of our application, we are starting the Web server to publish a status page to be read remotely. This works very well when we are running in the development environment and also when we run an executable a PC with installed development environment, however it will not boot on a PC with just the runtime installed.
I have attached some of the code that functionally does exactly the same thing in our main application. I used this as my Tester code and built in an exe while trying a lot of different things to fix.
When executing:
- The code will sit in the while loop until I press stop.
- Web server: Active Server = FALSE
- Out error = ERROR No.
In the full application the while loop waits a few seconds before throw an error if the server is not started. In this example, I can let the loop running for awhile without leave. Normally, the boot time is<50ms when="">50ms>
It's the ini file to the executable file:
[WebTest]
server.app.propertiesEnabled = True
Server.OLE.Enabled = True
server.tcp.serviceName = "My Server computer/VI"
server.vi.propertiesEnabled = True
WebServer.Enabled = True
WebServer.TcpAccess = "' + * '"
WebServer.ViAccess = "' + * '"
DebugServerEnabled = False
DebugServerWaitOnLaunch = FalseAnd it is the Web server configuration file:
ErrorLog "$LVSERVER_ROOT/logs/error.log".
LogLevel 3
The default server name
DocumentRoot "$LVSERVER_ROOT /... /.. '. "/ www".
Listen 8000
ThreadLimit 10
TypesConfig "$LVSERVER_ROOT/mime.types»
DirectoryIndex index.html
LoadModulePath "$LVSERVER_ROOT/modules '" $LVSERVER_ROOT/LVModules "" $LVSERVER_ROOT /... ".
LoadModule LVAuth lvauthmodule
LoadModule LVSnapshot lvsnapshotmodule
LoadModule LVRFP lvrfpmodule
LoadModule dir libdirModule
LoadModule copy libcopyModuleAddHandler LVAuthHandler
AddHandler LVSnapshotHandler .snap
AddHandler LVRFPHandlerAddHandler dirHandler
AddHandler copyHandler"CustomLog"$LVSERVER_ROOT/logs/access.log"'%%u %t \"%r\ hour' % > s %b.
KeepAlive on
KeepAliveTimeout 60
Timeout 60As can side note, anyone tell me where the $LVSERVER_ROOT variable is configured?
I tried the things:
- Copy a new default configuration file before the entry into force
- Writing a predefined file (encoded) before initializing config
- Definition to root before initializing directory (it actually generates an error because the server is not active...)
- Set WebServer.Active = TRUE several times inside the while loop
- Toggle the web server in the ini file
System:
- LabVIEW 2010
- PC with Windows 7 running
Thanks for any help, because it makes me crazy slow!
Ben
Hi Marco, thanks for the reply.
I have this guide was reviewed previously and had done all that he but a small section who gave me a hint of something to try and I have solved my problem, so thank you!
If anyone is interested, here's the problem:
The directive DocumentRoot folder in the config must exist or the Web server cannot be started. So basically, make sure that the file points to a folder that exists!
This leaves two small annoying problems if - you can't see if the file exists (and then create it) before starting the Web server, because you can not query the path to the folder without the Web server running.
AND
You can't really define the configuration programmatically file as parameters from the file are responsible for execution, not on the start Web server.
The result of this is that the config file and the folder root document should be created (and corresponding of course...) when the executable is built / installed on the system. Not a massive headache, but it means do not forget to put things in the build specification and do not rely on software to do the job at startup
-
Is it possible to put a server on the DMZ SQL
Hi all
He would ask about the deployment of PIX. Is it possible to put a server on DMZ SQL (or one of 5 exclusion inside the interface interfaces) and simply define a NAT to allow inside the user access to the DMZ? Also without allowing the outside user access to SQL server. We intend to set a SQL on a DMZ server, such that unathourized internal users will not be able to know the actual address of the SQL Server.
Are there problems which should be considered on this deployment?
Thanks in advance,
udimpas
Hi Udimpas,
Yes, your scenario is possible. You can put SQL Server on the DMZ network and allow access to inside users. at the same time, you can also block the access from the outside.
Let's say, your sql IP address is 192.168.1.10 & your home LAN is 10.1.1.0/24. You can do the following:
NAT (inside) 0 access-list sheep
access-list allowed sheep ip 10.1.1.0 255.255.255.0 host 192.168.1.10
by doing this, you have not nat all traffic from your inside sql server. In case you have defined everything inside your network access lists, you must open port 1433.
list of access within permit udp 10.1.1.0 255.255.255.0 host 192.168.1.10 eq 1433
You should not add the ACL above, if you have no restrictions from the inside, from now.
I hope this helps... all the best...
REDA
-
Options of the Web server for the Installation of the APEX on Oracle Database 10g
Hello. We are installing an APEX on a test server that runs the Oracle 10 g 10.2.0.4.0 database. As I understand it there are two Web Server Options:
(1) oracle HTTP Server (Apache)
(2) oracle Application Express listener
Do both of these jobs for Oracle Database 10 g 10.2.0.4.0? I thought I remember reading somewhere that only the Oracle Application Express listener only works with version 11 database or higher.Do both of these jobs for Oracle Database 10 g 10.2.0.4.0?
Yes.
I thought I remember reading somewhere that only the Oracle Application Express listener only works with version 11 database or higher.
No, only the restriction (except 10 g XE) applies to the third option of web server that you have not mentioned: Embedded PL/SQL Gateway (EPG), such as discussed in your previous thread: + {: identifier of the thread = 2201975} +.
Requirements for the listener of the APEX
{forum: id = 858} forum
-
Best way to lock a security server in the DMZ
Hello
Are there best practices or recommendations of VMware for the locking of a security server in the DMZ?
Any suggestions are welcome.
THX,
-sf
There is a Project Server View of Security hardening guide referenced here - http://communities.vmware.com/thread/300885
Mark
-
Copying files from a web server to the VMFS data store
Hi everyone I have a little trouble working it.
I say a file on a Web server http://webserver/important.txt and I want to copy this file in a local data store. I am able to copy the file from the Web server to the server I'm running PowerCLI, and then to the data store, but I can't work on how to copy directly.
Any ideas?
As far as I know, the Copy-DatastoreItem cannot handle this. The cmdlet requires a path to the Item parameter.
You will need to first create a local file and then copy in the data store.
-
Where to put XSD in the local (HTTP) Web server, so that they are visible?
Currently I'm statically import my HDD XSD schema files into projects.
However, I prefer to put these XSD files on the local (HTTP) Web server, so that I can return to their
dynamically with a http://... address.
How (where / which directory) what I have to put files to XSD schema on the Oracle Server local so that I can call them http://127.0.0.1/ resp. http://localhost/...
PeterIt is also common to the XSD files in $ORACLE_HOME/bpel/system/xmllib
They are then available as http://HOST: PORT/orabpel/xmllib/XYZ.xsd.
I recommend you do your own file in this directory. These are served by OC4J upward, not purely by Apache however.
-
Web server on a DMZ and Active Directory
It is a question facing two part philosophical part technical.
If I have a new Win 2 k 3 web server that I put on my DMZ is stupid to allow him to join my AD domain by opening the appropriate ports for communication between the inside and DMZ AD interface interface?
Or who simply goes against Smart Firewall? Can an attacker cross from outside intf in DMZ within intf?
If it's a wise thing to do, how to do? I guess just to open the ports that use MS as 135 137, netbios, 139, and 445 (I forgot everything?). Am I missing?
Thanks for any advice, technical or philosophical.
Marc
I would put it no doubt inside. In this era of virus, worms, software, spyware, p2p, etc., your users applications are often (in general not as malicious) also dangerous than the outside world. Use a DMZ for MS products is darn almost impossible, unless it is limited filtering (blocking access to users to SNMP, terminal services and other management fixed ports) in a position that allowed default value (rather than the general practices of firewall failure deny and selectively permit).
Because of the need for a relatively open between the clients and servers MS, I have a pretty aggressive policy of hardening, patching and antivirus.
If you try to put your DMZ, you can determine how your internal users could access it. If they are accessing the interface of http as well, it's good (some applications have two web interfaces as client binary packages well too big that use different, sometimes dynamic ports). You could then selectively allow access to the ip address of sql for ad servers only and open a ton it things. Yet, there is the risk that if this box has been compromised, it could be a conduit for other hosts. Because this kind of things MS is such a puzzle to the DMZ, I generally recommend people think about hardening the servers instead of trying to force the DMZ piece square into a round hole.
For IIS, look are the IISLockdown utility, which is a supplement on win2k/NT4 and perhaps be included out of the box on win2k3. It is menu-driven and can help you disable stuff you don't need. Hacking exposed Win2k is a great book to pick up. The NSA.gov has guidelines of security for most of the server MSFT products.
-
Setting up Web server behind the WRT300N
I'm trying to set up a webserver behind a WRT300N. I followed the article Linksys at the bottom of this post, to the letter, but its still does not. I have a cable modem connected to the WRT300N comcast, and then I have my Web server connected to the internet through the WRT300N wireless. I assigned a static IP address to my web server (192.168.1.2), and I also put in place the router before port 80 to the web server (XP pro). However, when I type the public ip address in a web browser, it can't find my server. I know that the web server works because I seem to be my home page when I type http://localhost in the local web browser. Any ideas? What Miss me? http://www3.nohold.NET/noHoldCust56/Prod_6/KnowledgePortal/KPScripts/amsviewer.asp?docid=e86f4f1c3a98416abc78586d4f544132_KB3699_EN_070208_v1.XML&amsstatsid=4666791
Hello
Have you tried access you a public IP of someone elses PC, IE. a single step on your own network?
I had / have a problem try accessing one of my friends unless I have use someone elses internet connection. I could access only web interface of my modem otherwise.
dRdoS7
PS. don't know why this is the case, others may have an idea.
EDIT: What port no.. Do you use? They do like this:
'http://my_public_ip:access_port '?
Sorry, read your message again, try another port such as 8080 number
-
The password has been reset, but we cannot go beyond the server request the user name and password to change the other settings. We have not had any problems to set up the printer to the computer and we are able to print and use the printer. We just need to find EWS to change other settings. We use Windows 7.
Hi there @Mariko23
Welcome to the forums,
I understand the SAP you request a user name and password and you're looking to reset the built-in Web server to access accordingly.
I suggest try to restore default network settings on the device, which should help you.
On the printer, select Setup, network configuration, network by default, Yes, restart the printer.
Good luck, I hope this helps
-
How to separate the application server and web server on the level of physical servers?
I want to separate the application server and web server: locate on different hosts. Generally, we use Weblogic ACE. In the future maybe use Apache Tomcat as web server.
Example,
192.168.1.10 - as - Weblogic application server / module EJB
192.168.1.11 - as a Web server - Weblogic / WEB module (can be - Apache Tomcat)
Impossible to find examples and resources about it on google.
Thank you.So, if we're looking for a subject such as:
try { someEJB = context.lookup("ejb/Videotheek#model.logic.Videotheek"); } catch (NamingException e) { e.printStackTrace(); }
If the EJB application is clustered in an object of type ' ClusterableRemoteRef (-4005477377232786958S: 172.31.0.107: [7003,7003,-1,-1,-1,-1,-1]: [8351443287261246917S:172.31.0.107:[7002,7002,-1,-1,-1,-1,-1]:ScriptDomain:VideotheekServer1/292])/289 172.31.0.107:ScriptDomain:VideotheekServer2 - 4005477377232786958S:172.31.0.107:[7003,7003,-1,-1,-1,-1,-1]:172.31.0.107:ScriptDomain:VideotheekServer2/289,-' is returned, which is part of the wlfullclient.jar.)
You can try using the EJB or the annotation of the resource (do not know with certainty if Tomcat is favorable). For annotations work, you must use version servlet 2.5 or later. JNDI research work in a general such as for example Tomcat servlet container.
Maybe you are looking for
-
Mail on OS X 10.11.1 9.1 is SUPER SUPER slow. It is a new problem. No updates have been made to the MacBook Pro 15 "2.5 Ghz Mid 2009 laptop computer. After clicking on the Mail icon, it begins to start and EVERYTHING is slow analysis. Mail takes a
-
How can I change in my old version of firfox
I want google toolbar, so I need to go back to my old version.
-
Yoga 2 Pro - very slow Wifi, ~0.74Mbps - 3Mbps
Hi, I've had my Yoga 2 Pro for a few weeks now and I thought it was my imagination until I decided to perform a speed test. The wifi on the laptop is really slow. Run the speed test (speedtest.net) on my desk I have 17.5Mbps, while on my yoga 2 pro I
-
Using the recovery disc - are the Versions of the latest drivers?
Waiting on a recovery disk, WIN7 Pro 64 bit, to arrive. I was just wondering are all the drivers on the current disc or are they those who emitted during delivery of the laptop. In other words I will have to upgrade the drivers after recovery again
-
MCSA-Server 2008 certification
I want to prepare for the MCSA certification. What are the best books resource that I can use for my preparation?