Hosting Multiple Websites on Windows 2003 Server w/ IIS6

  • dzumwalt
  • Newbie
  • Newbie
  • dzumwalt
  • Posts: 8

Post 3+ Months Ago

Allow OUTbound requests to DNS, Web and SSL,
Mail (both SMTP and POP), and FTP (both control and data)
The 172.17.0.0 would be your outside interface
access-list (Your ACL) permit udp 172.17.0.0 0.0.255.255 any eq 53
access-list (Your ACL) tcp 172.17.0.0 0.0.255.255 any eq 80
access-list (Your ACL) tcp 172.17.0.0 0.0.255.255 any eq 443
access-list (Your ACL) tcp 172.17.0.0 0.0.255.255 any eq 25
access-list (Your ACL) tcp 172.17.0.0 0.0.255.255 any eq 110
access-list (Your ACL) tcp 172.17.0.0 0.0.255.255 any eq 21
access-list (Your ACL) tcp 172.17.0.0 0.0.255.255 any eq 20
Allow these ports and what ever other ports you have created for your domains on your web server in IIS. Just remember that you have to have your domains using different ports on your server in IIS or it will not work from the start.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

on my Cisco Pix, I have the following related.

Code: [ Select ]
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
 
access-list inbound permit tcp any host 24.239.101.13 eq www
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq pop3
access-list inbound permit tcp any host 24.239.101.13 eq domain
access-list inbound permit udp any host 24.239.101.13 eq domain  (where domain = port 53)
nat (inside) 0 access-list inside_out_nat0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 136.146.156.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 136.146.156.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 136.146.156.10 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 136.146.156.10 https netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 136.146.156.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 136.146.156.10 domain netmask 255.255.255.255 0 0
http server enable
http 136.146.156.0 255.255.255.0 inside
  1. fixup protocol dns maximum-length 512
  2. fixup protocol ftp 21
  3. fixup protocol http 80
  4. fixup protocol smtp 25
  5.  
  6. access-list inbound permit tcp any host 24.239.101.13 eq www
  7. access-list inbound permit tcp any interface outside eq https
  8. access-list inbound permit tcp any interface outside eq smtp
  9. access-list inbound permit tcp any interface outside eq pop3
  10. access-list inbound permit tcp any host 24.239.101.13 eq domain
  11. access-list inbound permit udp any host 24.239.101.13 eq domain  (where domain = port 53)
  12. nat (inside) 0 access-list inside_out_nat0
  13. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  14. static (inside,outside) tcp interface www 136.146.156.10 www netmask 255.255.255.255 0 0
  15. static (inside,outside) tcp interface smtp 136.146.156.10 smtp netmask 255.255.255.255 0 0
  16. static (inside,outside) tcp interface pop3 136.146.156.10 pop3 netmask 255.255.255.255 0 0
  17. static (inside,outside) tcp interface https 136.146.156.10 https netmask 255.255.255.255 0 0
  18. static (inside,outside) udp interface domain 136.146.156.10 domain netmask 255.255.255.255 0 0
  19. static (inside,outside) tcp interface domain 136.146.156.10 domain netmask 255.255.255.255 0 0
  20. http server enable
  21. http 136.146.156.0 255.255.255.0 inside


Not sure what port 443 does? Why open that one? Also as noted I'm using the Host Headers method, so still not sure why you'd suggest each website be on a different port other than 80
  • dzumwalt
  • Newbie
  • Newbie
  • dzumwalt
  • Posts: 8

Post 3+ Months Ago

The port designated to the domain will be resolved by your server. If you have a seperate nic/IP for each website you can get away with not doing ports. dyfrin must not be very familiar with your public DNS, which is fine because we all learn from each other. The public DNS on your server will resolve your domain name to the proper port that you have selected.
  • dzumwalt
  • Newbie
  • Newbie
  • dzumwalt
  • Posts: 8

Post 3+ Months Ago

ATNO/TW wrote:
on my Cisco Pix, I have the following related.

Code: [ Select ]
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
 
access-list inbound permit tcp any host 24.239.101.13 eq www
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq pop3
access-list inbound permit tcp any host 24.239.101.13 eq domain
access-list inbound permit udp any host 24.239.101.13 eq domain  (where domain = port 53)
nat (inside) 0 access-list inside_out_nat0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 136.146.156.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 136.146.156.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 136.146.156.10 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 136.146.156.10 https netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 136.146.156.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 136.146.156.10 domain netmask 255.255.255.255 0 0
http server enable
http 136.146.156.0 255.255.255.0 inside
  1. fixup protocol dns maximum-length 512
  2. fixup protocol ftp 21
  3. fixup protocol http 80
  4. fixup protocol smtp 25
  5.  
  6. access-list inbound permit tcp any host 24.239.101.13 eq www
  7. access-list inbound permit tcp any interface outside eq https
  8. access-list inbound permit tcp any interface outside eq smtp
  9. access-list inbound permit tcp any interface outside eq pop3
  10. access-list inbound permit tcp any host 24.239.101.13 eq domain
  11. access-list inbound permit udp any host 24.239.101.13 eq domain  (where domain = port 53)
  12. nat (inside) 0 access-list inside_out_nat0
  13. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  14. static (inside,outside) tcp interface www 136.146.156.10 www netmask 255.255.255.255 0 0
  15. static (inside,outside) tcp interface smtp 136.146.156.10 smtp netmask 255.255.255.255 0 0
  16. static (inside,outside) tcp interface pop3 136.146.156.10 pop3 netmask 255.255.255.255 0 0
  17. static (inside,outside) tcp interface https 136.146.156.10 https netmask 255.255.255.255 0 0
  18. static (inside,outside) udp interface domain 136.146.156.10 domain netmask 255.255.255.255 0 0
  19. static (inside,outside) tcp interface domain 136.146.156.10 domain netmask 255.255.255.255 0 0
  20. http server enable
  21. http 136.146.156.0 255.255.255.0 inside


Not sure what port 443 does? Why open that one? Also as noted I'm using the Host Headers method, so still not sure why you'd suggest each website be on a different port other than 80


(If your server is resolving all sites to port 80 on the server then it will not know what site to go to. You can't run multiple sites on the same port.)
  • dzumwalt
  • Newbie
  • Newbie
  • dzumwalt
  • Posts: 8

Post 3+ Months Ago

Bypass the firewall (DMZ) and see if your sites work before you do a bunch of configurations to your firewall. This will determine if it is the server or the firewall.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

dzumwalt wrote:
Bypass the firewall (DMZ) and see if your sites work before you do a bunch of configurations to your firewall. This will determine if it is the server or the firewall.


That will take some effort to find a down time in internal use. probably have to come in on a Sunday to do that. I'll take into consideration everyone's advice. Still have to absorb what's being advised since this is all new to me.

Thanks guys. Appreciate you taking the time to help.

Post Information

  • Total Posts in this topic: 36 posts
  • Users browsing this forum: No registered users and 17 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.