second Web server on the DMZ not visible outside

Similar Questions

• Cannot access the Web server in the DMZ from the inside using IP global

  Hi all

  I hope it's a very simple question.

  I'm running a PIX 515 firewall v6.3. I set up a Web server in my DMZ and use static NAT for re-branded it overall static IP address. Access from the outside of the demilitarized zone works remarkably well. I can access inside the interface Web site using the internal IP, but I can't access it from inside interface using the global IP are entrusted to him.

  Is there a particular reason why this would not be allowed? My feeling was that the request would be forwarded via the external interface (as it is a global IP address) and then be bounced back by my sense of the ISP the request would come to the new external interface (as the static NAT is applied to the external interface).

  However if I try and access the global IP from my inside interface, then the browser can not find the server.

  can someone explain why this is so? Any information would be appreciated.

  see you soon,

  Wayne

  ---------------------------------

  6.3 (3) version PIX

  interface ethernet0 100full

  interface ethernet1 100full

  interface ethernet2 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  nameif dmz security50 ethernet2

  hostname helmsdeep

  domain p2h.com.sg

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol they 389

  no correction protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  No fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  acl_out list access permit tcp any host 203.169.113.110 eq www

  access-list 90 allow the host tcp 10.1.1.27 all

  pager lines 24

  debug logging in buffered memory

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 dmz

  IP address outside pppoe setroute

  IP address inside 192.168.1.1 255.255.255.0

  dmz 10.1.1.1 IP address 255.255.255.0

  no failover

  failover timeout 0:00:00

  failover poll 15

  No IP failover outdoors

  No IP failover inside

  no failover ip address dmz

  location of PDM 202.164.169.42 255.255.255.255 inside

  location of PDM 202.164.169.42 255.255.255.255 dmz

  location of PDM 10.1.1.26 255.255.255.255 dmz

  location of PDM 10.1.1.26 255.255.255.255 outside

  location of PDM 172.16.16.20 255.255.255.255 outside

  location of PDM 192.168.1.222 255.255.255.255 inside

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  Global (dmz) 1 10.1.1.101 - 10.1.1.125

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  NAT (dmz) 0-list of access 90

  NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0

  static (dmz, external) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0

  Access-group acl_out in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.1.222 255.255.255.255 inside

  enable floodguard

  string fragment 1

  Console timeout 0

  Terminal width 80

  Code v6 pix or less don't let you have traffic "back" or return flow via the same interface on which it was sent. Having also your bounce back off of an external server traffic is never a good idea, because you won't be able to distinguish which and rogue attacks by spoofing someone outside your network.

  Since you are using pix 6.3 code, you may be able to outside the NAT. Add this static to your config:

  static (dmz, upside down) 203.169.113.110 10.1.1.27 netmask 255.255.255.255 0 0

  You may need to run a clear xlate after adding the new static statement. Note that the interfaces: it's demilitarized zone, inside inside, dmz.

  I would like to know if it works.

• PIX with H & S VPN DMZ hosting web server to the hub

  Ok

  Heres a problem which I think would be quite common for these even remotely conscious of security. Unfortunately, my knowledge of the PIX (as well as other Cisco devices) is still in phase of 'growth '.

  So, here's the problem. I have a WAN put in place with PIXen and SonicWalls, we are set up in a design essentially Hub and Spoke (fine ok so it is partially meshed). We recently decided to pull the trigger on getting a 'real' web site and everything went relatively well that getting up and rolling. (even with my notice of 3 days/deadline), but here's the problem: I set up the web server on the DMZ to the hub pix, and I figured out (the easy part) how to set things so in the Home Office, people can connect to the web server by using the internal address, but I don't know what to do for people in remote offices with VPN home connections. I tried to define static routes, I tried to add the DMZ to the VPN trigger, I tried to do both of the last things together, and I checked that I have rules allowing traffic to the VPN outside the DMZ on the inside. So, what else can I I get?

  I have no problem by configuring a PIX for all basic ups and VPN even at this stage, I can do most of it through the CLI (even if I still want to do more through the PDM). My biggest stumbling block on the PIX has so far was when I actually involve this pesky DMZ...

  I actually two PIX in my office, two for my network domestic (one for my place in the States and one for my place in the Japan), so if you can help me, I'll be the two problems and do not forget to give a rating of excellent reviews!

  so I guess that leaves me to the place where I scream...

  Help!

  and I humbly await your comments.

  the current pix configuration should look at sth like this,

  IP access-list 101 permit

  IP access-list 110 permit

  Global 1 interface (outside)

  (Inside) NAT 0-list of access 101

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-3des esp-md5-hmac superset

  myvpn 10 ipsec-isakmp crypto map

  correspondence address card crypto myvpn 10 110

  card crypto myvpn 10 set by peer

  superset of myvpn 10 transform-set card crypto

  interface myvpn card crypto outside

  ISAKMP allows outside

  ISAKMP key

   address netmask 255.255.255.255
  
  isakmp identity address
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash md5
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  now, to add dmz on top of the existing vpn, add the following to the pix (and apply the same concept on the remote end device)
  access-list 102 permit ip
  access-list 110 permit ip
  nat (dmz) 0 access-list 102
  

• DMZ web server-> inside the database server

  Suppose that a network topology looks like this:

  A PIX with 3 interfaces:

  interface (private public static IP 10.10.10.1)

  interface (public static IP of 69.110.38.35)

  interface (static IP private address of the 30.30.30.1)

  --------------------------------------------

  The internal network has a {server} with the IP address of 10.10.10.2.

  The DMZ has a {web server} with the IP address of 30.30.30.2.

  I will welcome external guests (outside) access to the web server (30.30.30.2) via port 80.

  This web server access turn the database server (10.10.10.2).

  Assume that all other commands are issued. Then, I'll create an access list that allows server WWW DMZ to communicate with inside the database server.

  access-list dmz-to-inside permit tcp host 30.30.30.2 host 10.10.10.2 eq 1521

  Should I publish the following, too:

  (1) access-list dmz permit tcp host 30.30.30.2 no matter what 80 eq

  (2) access-group in interface dmz dmz

  (3) static (inside the dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

  xlate clear 4)

  If so, what each of them do?

  Thank you for helping.

  Scott

  1. Yes, the static statement "10.10.10.0 static (inside, dmz) 10.10.10.0 netmask 255.255.255.0" will disable NAT. Although it is not necessary to disable nat, however, it saves money and simple to manage. the reason for this is the traffic between the dmz and inside is private, there is therefore not necessary to apply the public ip address.

  2 pix receives the package intended to 30.30.30.2 10.10.10.2. PIX examines the static statement and based on the static above statement, pix will not nat package (i.e. pix will leave the soruce address be) and send it to 30.30.30.2 via the interface of the demilitarized zone.

  for example

  original package - source 10.10.10.2, destination 30.30.30.2

  After pix - source 10.10.10.2, destination 30.30.30.2

  3. the "Clear xlate" command must be issued whenever the nat/global or static has been added/deleted/modified. This command is to force the pix to clear the existing ip translation.

  for example, before you add the command "static 1.1.1.1 (indoor, outdoor) 192.168.1.100 netmask 255.255.255.255", the pix may already have an ip 192.168.1.100 translation (it might come from the nat/global). now, after you apply the static command, the pix will keep the existing translation for a certain period time. 'clear xlate' is needed to erase the old translation and so to activate the new static statement.

• PHP form script is missing from the web server or PHP is not properly configured on your web hosting provider. Help - I get this message on my site when the form is filled out and you press send... Check if the form PHP script has been downloaded correctl

  PHP form script is missing from the web server or PHP is not properly configured on your web hosting provider. Help - I get this message on my site when the form is filled out and you press send... Check if the form PHP script has been downloaded correctly, contact your host about the configuration of PHP.

  Hi Graham,

  If you, please add your site to this link ( http://my-site.com/scripts/form_check.php ) and make sure that all green checkmarks are appearing. If they don't, let us know what errors you seem to receive and include the link to your site.

  In addition, check out this guide on the forums of Muse troubleshooting: Troubleshooting Muse form used on the servers of third party Widgets

  I hope this helps!

  Emily

• Cannot start web server on the executable file

  Hello

  We have a problem with a Web server - we cannot get to initialize the help of nodes of property or the ini on a compiled executable file.

  As part of our application, we are starting the Web server to publish a status page to be read remotely. This works very well when we are running in the development environment and also when we run an executable a PC with installed development environment, however it will not boot on a PC with just the runtime installed.

  I have attached some of the code that functionally does exactly the same thing in our main application. I used this as my Tester code and built in an exe while trying a lot of different things to fix.

  When executing:

  • The code will sit in the while loop until I press stop.
  • Web server: Active Server = FALSE
  • Out error = ERROR No.

  

  In the full application the while loop waits a few seconds before throw an error if the server is not started. In this example, I can let the loop running for awhile without leave. Normally, the boot time is<50ms when="">

  It's the ini file to the executable file:

  [WebTest]
  server.app.propertiesEnabled = True
  Server.OLE.Enabled = True
  server.tcp.serviceName = "My Server computer/VI"
  server.vi.propertiesEnabled = True
  WebServer.Enabled = True
  WebServer.TcpAccess = "' + * '"
  WebServer.ViAccess = "' + * '"
  DebugServerEnabled = False
  DebugServerWaitOnLaunch = False

  And it is the Web server configuration file:

  ErrorLog "$LVSERVER_ROOT/logs/error.log".
  LogLevel 3
  The default server name
  DocumentRoot "$LVSERVER_ROOT /... /.. '. "/ www".
  Listen 8000
  ThreadLimit 10
  TypesConfig "$LVSERVER_ROOT/mime.types»
  DirectoryIndex index.html
  LoadModulePath "$LVSERVER_ROOT/modules '" $LVSERVER_ROOT/LVModules "" $LVSERVER_ROOT /... ".
  LoadModule LVAuth lvauthmodule
  LoadModule LVSnapshot lvsnapshotmodule
  LoadModule LVRFP lvrfpmodule
  LoadModule dir libdirModule
  LoadModule copy libcopyModule

  AddHandler LVAuthHandler
  AddHandler LVSnapshotHandler .snap
  AddHandler LVRFPHandler

  AddHandler dirHandler
  AddHandler copyHandler

  "CustomLog"$LVSERVER_ROOT/logs/access.log"'%%u %t \"%r\ hour' % > s %b.
  KeepAlive on
  KeepAliveTimeout 60
  Timeout 60

  As can side note, anyone tell me where the $LVSERVER_ROOT variable is configured?

  I tried the things:

  • Copy a new default configuration file before the entry into force
  • Writing a predefined file (encoded) before initializing config
  • Definition to root before initializing directory (it actually generates an error because the server is not active...)
  • Set WebServer.Active = TRUE several times inside the while loop
  • Toggle the web server in the ini file

  System:

  • LabVIEW 2010
  • PC with Windows 7 running

  Thanks for any help, because it makes me crazy slow!

  Ben

  Hi Marco, thanks for the reply.

  I have this guide was reviewed previously and had done all that he but a small section who gave me a hint of something to try and I have solved my problem, so thank you!

  If anyone is interested, here's the problem:

  The directive DocumentRoot folder in the config must exist or the Web server cannot be started. So basically, make sure that the file points to a folder that exists!

  This leaves two small annoying problems if - you can't see if the file exists (and then create it) before starting the Web server, because you can not query the path to the folder without the Web server running.

  AND

  You can't really define the configuration programmatically file as parameters from the file are responsible for execution, not on the start Web server.

  The result of this is that the config file and the folder root document should be created (and corresponding of course...) when the executable is built / installed on the system. Not a massive headache, but it means do not forget to put things in the build specification and do not rely on software to do the job at startup

• Is it possible to put a server on the DMZ SQL

  Hi all

  He would ask about the deployment of PIX. Is it possible to put a server on DMZ SQL (or one of 5 exclusion inside the interface interfaces) and simply define a NAT to allow inside the user access to the DMZ? Also without allowing the outside user access to SQL server. We intend to set a SQL on a DMZ server, such that unathourized internal users will not be able to know the actual address of the SQL Server.

  Are there problems which should be considered on this deployment?

  Thanks in advance,

  udimpas

  Hi Udimpas,

  Yes, your scenario is possible. You can put SQL Server on the DMZ network and allow access to inside users. at the same time, you can also block the access from the outside.

  Let's say, your sql IP address is 192.168.1.10 & your home LAN is 10.1.1.0/24. You can do the following:

  NAT (inside) 0 access-list sheep

  access-list allowed sheep ip 10.1.1.0 255.255.255.0 host 192.168.1.10

  by doing this, you have not nat all traffic from your inside sql server. In case you have defined everything inside your network access lists, you must open port 1433.

  list of access within permit udp 10.1.1.0 255.255.255.0 host 192.168.1.10 eq 1433

  You should not add the ACL above, if you have no restrictions from the inside, from now.

  I hope this helps... all the best...

  REDA

• Options of the Web server for the Installation of the APEX on Oracle Database 10g

  Hello. We are installing an APEX on a test server that runs the Oracle 10 g 10.2.0.4.0 database. As I understand it there are two Web Server Options:
  
  (1) oracle HTTP Server (Apache)
  (2) oracle Application Express listener
  
  Do both of these jobs for Oracle Database 10 g 10.2.0.4.0? I thought I remember reading somewhere that only the Oracle Application Express listener only works with version 11 database or higher.

  Do both of these jobs for Oracle Database 10 g 10.2.0.4.0?

  Yes.

  I thought I remember reading somewhere that only the Oracle Application Express listener only works with version 11 database or higher.

  No, only the restriction (except 10 g XE) applies to the third option of web server that you have not mentioned: Embedded PL/SQL Gateway (EPG), such as discussed in your previous thread: + {: identifier of the thread = 2201975} +.

  Requirements for the listener of the APEX

  {forum: id = 858} forum

• Best way to lock a security server in the DMZ

  Hello

  Are there best practices or recommendations of VMware for the locking of a security server in the DMZ?

  Any suggestions are welcome.

  THX,

  -sf

  There is a Project Server View of Security hardening guide referenced here - http://communities.vmware.com/thread/300885

  Mark

• Copying files from a web server to the VMFS data store

  Hi everyone I have a little trouble working it.

  I say a file on a Web server http://webserver/important.txt and I want to copy this file in a local data store.  I am able to copy the file from the Web server to the server I'm running PowerCLI, and then to the data store, but I can't work on how to copy directly.

  Any ideas?

  As far as I know, the Copy-DatastoreItem cannot handle this. The cmdlet requires a path to the Item parameter.

  You will need to first create a local file and then copy in the data store.

• Where to put XSD in the local (HTTP) Web server, so that they are visible?

  Currently I'm statically import my HDD XSD schema files into projects.
  
  However, I prefer to put these XSD files on the local (HTTP) Web server, so that I can return to their
  dynamically with a http://... address.
  
  How (where / which directory) what I have to put files to XSD schema on the Oracle Server local so that I can call them http://127.0.0.1/ resp. http://localhost/...
  
  Peter

  It is also common to the XSD files in $ORACLE_HOME/bpel/system/xmllib

  They are then available as http://HOST: PORT/orabpel/xmllib/XYZ.xsd.

  I recommend you do your own file in this directory. These are served by OC4J upward, not purely by Apache however.

• Web server on a DMZ and Active Directory

  It is a question facing two part philosophical part technical.

  If I have a new Win 2 k 3 web server that I put on my DMZ is stupid to allow him to join my AD domain by opening the appropriate ports for communication between the inside and DMZ AD interface interface?

  Or who simply goes against Smart Firewall? Can an attacker cross from outside intf in DMZ within intf?

  If it's a wise thing to do, how to do? I guess just to open the ports that use MS as 135 137, netbios, 139, and 445 (I forgot everything?). Am I missing?

  Thanks for any advice, technical or philosophical.

  Marc

  I would put it no doubt inside. In this era of virus, worms, software, spyware, p2p, etc., your users applications are often (in general not as malicious) also dangerous than the outside world. Use a DMZ for MS products is darn almost impossible, unless it is limited filtering (blocking access to users to SNMP, terminal services and other management fixed ports) in a position that allowed default value (rather than the general practices of firewall failure deny and selectively permit).

  Because of the need for a relatively open between the clients and servers MS, I have a pretty aggressive policy of hardening, patching and antivirus.

  If you try to put your DMZ, you can determine how your internal users could access it. If they are accessing the interface of http as well, it's good (some applications have two web interfaces as client binary packages well too big that use different, sometimes dynamic ports). You could then selectively allow access to the ip address of sql for ad servers only and open a ton it things. Yet, there is the risk that if this box has been compromised, it could be a conduit for other hosts. Because this kind of things MS is such a puzzle to the DMZ, I generally recommend people think about hardening the servers instead of trying to force the DMZ piece square into a round hole.

  For IIS, look are the IISLockdown utility, which is a supplement on win2k/NT4 and perhaps be included out of the box on win2k3. It is menu-driven and can help you disable stuff you don't need. Hacking exposed Win2k is a great book to pick up. The NSA.gov has guidelines of security for most of the server MSFT products.

• Setting up Web server behind the WRT300N

  I'm trying to set up a webserver behind a WRT300N. I followed the article Linksys at the bottom of this post, to the letter, but its still does not. I have a cable modem connected to the WRT300N comcast, and then I have my Web server connected to the internet through the WRT300N wireless. I assigned a static IP address to my web server (192.168.1.2), and I also put in place the router before port 80 to the web server (XP pro). However, when I type the public ip address in a web browser, it can't find my server. I know that the web server works because I seem to be my home page when I type http://localhost in the local web browser. Any ideas? What Miss me? http://www3.nohold.NET/noHoldCust56/Prod_6/KnowledgePortal/KPScripts/amsviewer.asp?docid=e86f4f1c3a98416abc78586d4f544132_KB3699_EN_070208_v1.XML&amsstatsid=4666791

  Hello

  Have you tried access you a public IP of someone elses PC, IE. a single step on your own network?

  I had / have a problem try accessing one of my friends unless I have use someone elses internet connection. I could access only web interface of my modem otherwise.

  dRdoS7

  PS. don't know why this is the case, others may have an idea.

  EDIT: What port no.. Do you use? They do like this:

  'http://my_public_ip:access_port '?

  Sorry, read your message again, try another port such as 8080 number

• Printer Officejet Pro 8620: How to reset the Server Web integrated (built-in web server) on the printer Officejet Pro 8620 Pro?

  The password has been reset, but we cannot go beyond the server request the user name and password to change the other settings.  We have not had any problems to set up the printer to the computer and we are able to print and use the printer.  We just need to find EWS to change other settings.  We use Windows 7.

  Hi there @Mariko23

  Welcome to the forums,

  I understand the SAP you request a user name and password and you're looking to reset the built-in Web server to access accordingly.

  I suggest try to restore default network settings on the device, which should help you.

  On the printer, select Setup, network configuration, network by default, Yes, restart the printer.

  Good luck, I hope this helps

  

• How to separate the application server and web server on the level of physical servers?

  I want to separate the application server and web server: locate on different hosts. Generally, we use Weblogic ACE. In the future maybe use Apache Tomcat as web server.
  Example,
  192.168.1.10 - as - Weblogic application server / module EJB
  192.168.1.11 - as a Web server - Weblogic / WEB module (can be - Apache Tomcat)
  
  Impossible to find examples and resources about it on google.
  Thank you.

  So, if we're looking for a subject such as:

  try {
      someEJB = context.lookup("ejb/Videotheek#model.logic.Videotheek");
  } catch (NamingException e) {
      e.printStackTrace();
  }
  

  If the EJB application is clustered in an object of type ' ClusterableRemoteRef (-4005477377232786958S: 172.31.0.107: [7003,7003,-1,-1,-1,-1,-1]: [8351443287261246917S:172.31.0.107:[7002,7002,-1,-1,-1,-1,-1]:ScriptDomain:VideotheekServer1/292])/289 172.31.0.107:ScriptDomain:VideotheekServer2 - 4005477377232786958S:172.31.0.107:[7003,7003,-1,-1,-1,-1,-1]:172.31.0.107:ScriptDomain:VideotheekServer2/289,-' is returned, which is part of the wlfullclient.jar.)

  You can try using the EJB or the annotation of the resource (do not know with certainty if Tomcat is favorable). For annotations work, you must use version servlet 2.5 or later. JNDI research work in a general such as for example Tomcat servlet container.