Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port Forwarding to 2 internal Web Servers - Could be a Problem? 2

Status
Not open for further replies.
mRgEE

mRgEE

IS-IT--Management
Oct 13, 2003
61
0
0
GB
Further to just getting my Pix working in the DMZ to manage all port forwarding I think I have encountered a problem that is looking unlikely the Pix is able to handle.

My Setup is as follows: -

Internet > (public ip address)Router(NAT enabled - ip 10.0.0.254) > DMZ / Pix (10.0.0.253) > Services (http 10.0.0.5 / https 10.0.0.1 & 10.0.0.17 / smtp 10.0.0.20).

I have 2 seperate internal web servers running https sites (webserver 1 = 10.0.0.1 webserver 2 = 10.0.0.17)

My goal is to port forward https traffic to both of these internal webservers. Can anyone confirm if this scenario is possible? Looking at the documentation so far it looks as if I can only forward traffic to one internal ip address and that URL forwarding is not an available feature on the Pix 501. Can anyone confirm this? It is not an available option to change the port number the SSL traffic uses on one of the servers. I need both servers to be accessible on Port 443.

Now I do have one spare public IP address available but I cannot see how I can utilise this for one of the web servers as they are both using internal ip addresses 10.0.0.0/8.

Any ideas? I know that ISA server is capable of URL forwarding and I may ditch my pix if I cannot get this to work:(
 
Sort by date Sort by votes
Unfortunately, it isn't possible without a second IP if you want to forward the same port. It is not a pix shortcoming, it is a tcp/ip reality. Whatever device you use would have to guess at which destination you want. How would it know who to forward to. It is not the internal destination that is the problem, it is what the external users types into the browser bar.

You can if you choose to use a different port.
So if you had
externalIP:port443 to InternalIP#1:port443
and
externalIP:port4343 to InternalIP#2:port443
The down side is that you have to have your users connect using
A way around it is to have a web front page that has links to the pages on the other servers that have the port embedded in the URL. That way they don't have to remember the port stuff, just click the link and off they go.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
What you need is a simple load balancer, the load balancer will have a virtual IP and that is the one the PIX would forward traffic to, the load balancer will decide which server to forward traffic to using the private IPs


Hope that helps
 
Upvote 0 Downvote
The load balancer only works if they are serving they same content.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
You are absolutely right, if he wants to setup multiple sites on deferent servers he can always forward everything to one server and then use it as a proxy for incoming port 80 traffic,
 
Upvote 0 Downvote
I looked at my last post and realised I can actually come up with better answer, it's amazing what few hours of sleep can do for you brain.

We can still use load balancer, as load balancer software can look at layer 3 upward one can create rules that are based on the URL and not just the destination IP.

Let's say we have two domains "abc.com and 123.com and we want them on two different servers, we can use the load balancer to look at the URL of the incoming traffic and based on that we can set up rules that send traffic for abc.com to server A and traffic for 123.com to server B

Hope that makes it clearer
 
Upvote 0 Downvote
Thanks for the replies :)

The load balancer is a great idea but I also have a copy of ISA server which I know will also be able to perform this function so I may just use that. If I do use the ISA then the pix is pretty much useless :( and one of the reasons I got the Pix was to learn how to configure them and become much more familiar with them.

Now rather I may have to learn ISA instead.
Come on, give me reasons why I should keep the Pix. :/
 
Upvote 0 Downvote
I agree with horus42 on that. I don't want a windows box as a perimeter (with Checkpoint as the exception.) Harden purpose built devices are better at their job and more secure that multi-task boxes. You can do
Internet > pix > ISA


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
118
XLNTech1
XLNTech1
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
138
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
116
nnaarrnn
nnaarrnn
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
48
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top