I have a web server on the dmz and can access it by its domain name from outside our bulding and from any computer also on the dmz but not from computers on the inside interface. What is the alias command that allows the users on, lets say 10.123.123.0 network access the webserver on the 172.16.1.0 network (the dmz) by typing in the domain name into there browser?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ALIAS for internal web server
- Thread starter psolis
- Start date
Never used the alias command, so here's a good link!
It seems (from what I've read) that if you want to access the web server on the DMZ from the inside network you can use the following command syntax ..
alias(inside) <global_IP> <local_IP_on_DMZ> 255.255.255.255
You will also need to make sure that you have NAT set up for the DMZ, something like ..
nat (inside) 1 0.0.0.0 0.0.0.0 (NAT the internal network)
nat (dmz) 1 interface (use the DMZ interface address)
Test connectivity by accessing the web server using the local IP address. When you are sure that you have connectivity apply the alias command. When a local client on the inside network connects to the web address, the client will do a DNS lookup. The global IP will be returned by the DNS server and will be returned to the client. When the client on the inside tries to connect to the global IP, the PIX does the translation to the local IP of the server on the DMZ. It's called Destination NAT (dnat).
Hope this helps!!
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
It seems (from what I've read) that if you want to access the web server on the DMZ from the inside network you can use the following command syntax ..
alias(inside) <global_IP> <local_IP_on_DMZ> 255.255.255.255
You will also need to make sure that you have NAT set up for the DMZ, something like ..
nat (inside) 1 0.0.0.0 0.0.0.0 (NAT the internal network)
nat (dmz) 1 interface (use the DMZ interface address)
Test connectivity by accessing the web server using the local IP address. When you are sure that you have connectivity apply the alias command. When a local client on the inside network connects to the web address, the client will do a DNS lookup. The global IP will be returned by the DNS server and will be returned to the client. When the client on the inside tries to connect to the global IP, the PIX does the translation to the local IP of the server on the DMZ. It's called Destination NAT (dnat).
Hope this helps!!
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
- Thread starter
- #3
I went to cisco's website erlier and found the exact command - you were right on the money. It worked great. I was wondering what your opinion was of a good way to secure that webserver on the dmz because right now I just have a static route and anybody who knows the real worl ip can get on - also - when on that dmz, could someone hop over to the inside network or is it scure - I know that I can't ping the inside network from the dmz.
Regarding securing the web server, the firewall should do that! It will ensure that only port 80 is allowed to it from whatever IP ranges you have allowed in the access-list or conduit (usually "any"
! If it's a web server then anyone can get it's global IP address from any DNS server! That's the general aim with a web server! Advertise it's IP and allow anyone to connect! If you want to allow only specific people or networks then apply access-lists to allow only those networks or hosts!
If people get onto the web server on the DMZ, they shouldn't have any access to your inside network! The DMZ will have a lower security level than the inside network so no connections will be allowed unless you specifically allow them!
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
! If it's a web server then anyone can get it's global IP address from any DNS server! That's the general aim with a web server! Advertise it's IP and allow anyone to connect! If you want to allow only specific people or networks then apply access-lists to allow only those networks or hosts!If people get onto the web server on the DMZ, they shouldn't have any access to your inside network! The DMZ will have a lower security level than the inside network so no connections will be allowed unless you specifically allow them!
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
- Thread starter
- #5
It's not all that easy! The PIX is quite a secure firewall, but no firewall can guarantee 100% security! They just make it as difficult as possible for attackers and as secure (but useable) as possible for network managers!!
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question