Results 1 to 12 of 12
  1. #1
    Join Date
    Jun 2005
    Location
    San Diego, CA, USA
    Posts
    213

    Having troubles with HW Firewall CISCO PIX 501 With Cpanel/WHM

    I am providing web hosting to people and recently I installed CISCO PIX 501 in other server. But I am having trouble with NAT.

    I am using firewall like this (BY NAT)

    Server - Firewall - PUBLIC
    Private_IP-Firewall-Public_IP or Public_IP_A-Firewall-Public_IP_B

    This make trouble with Cpanel/WHM. I have to edit DNS FILES Everytime when I create some account with Domain. I don't know what to do? Is there anyway I can use firewall like

    Public_IP_A-Firewall-Public_IP_A ?

    Or is there any suggestions for using CPANEL/WHM with Firewall CISCO PIX 501?

  2. #2
    Join Date
    Sep 2002
    Location
    Nashville, TN
    Posts
    237
    Ohhhh boy your in for a bumpy ride, but hold on because it's worth it... I've been dealing with exactly the same problem for some time now, and I just managed to resolve it a couple days ago and get everything working as it should.

    First, you should be using private IP addresses on the inside (something like 10.0.0.x/24, or whatever you choose). Then you just put staic NAT entries in your PIX that translate each server's public IP address to it's internal address. Don't forget to open up whatever you need open in ACL's (only using the EXTERNAL IP address, you don't need to use the internal IP on the "outside" interface).

    Next, go to your cPanel box and remove ALL PUBLIC IP'S!!! Only use the internal IP addresses. If your like me, you'll have to go through and reassign IP addresses to your accounts on the cPanel box so they are using the internal. When its all said and done, you should be able to grep in your zone file directory and not have any external IP addresses, and look in your httpd.conf and see no external IP's (to do this, `cd` into your zone file dir and type `grep -R 216 *` whereas one of your IP's starts with 216... of course, change it to whatever your external IPs are). If you see any zones that still have external IPs, you must change them to the approiate translated internal IP address.

    So, at this point, you should be able to use dig (or nslookup) directly at your cPanel box and query it for a domain that's hosted on it and have the internal IP address returned, even from outside your network. Obviously, you can't leave it like that, so here is the magic workaround.

    In the PIX, there is a weird command called "alias". You can use this to tell the PIX to translate IP addresses in DNS responses... yeah, I know... its really weird. Here's the documentation on it: http://www.cisco.com/en/US/products/...html#wp1083304

    So, to translate your DNS responses, you'll need to do both of the following (assuming your inside interface is called "inside" and outside called "outside"):

    alias (outside) 5.5.5.1 10.0.0.1 255.255.255.255

    alias (inside) 10.0.0.1 5.5.5.1 255.255.255.255

    So, this does two things: the first command changes any DNS response that comes THROUGH the firewall from the outside with the IP 5.5.5.1 to the internal IP of 10.0.0.1. Also, the second command does the same in the oppsite direction.

    Now with this in place, you should be able use dig (or nslookup) and get the external IP from outside the firewall, but hit the server directly from inside your network and get the internal IP (since that's whats really in the zone).

    I'm afraid that I didn't do too great of a job at being very clear about how to get this working, but it does work. If you want to chat on IM, just PM me and I'll help you out. It really does work...really...

    -Chris

  3. #3
    wouldnt it be a lot simpler to just get a different firewall ? A netscreen 25 or something like that ..

  4. #4
    Join Date
    Sep 2002
    Location
    Nashville, TN
    Posts
    237
    papi: The problem isn't with the firewall... in fact, we're lucky the PIX even does what it does... the problem is with cPanel not being aware of it really having two different IP addresses for each IP (one internal, and the real public one).... so getting something like a Netscreen would most likely make matters worse...

    -Chris

  5. #5
    err somehow I dont think hardware firewalls are that much of a pain in the *** to set up. I've never heard of anyone going through so much crap to install a hardware firewall in their rack and have any problems with cpanel boxes behind it..

  6. #6
    Join Date
    Sep 2002
    Location
    Nashville, TN
    Posts
    237
    Again, the problem isn't with the firewall, it's cPanel (actually, it's the way cPanel sets up the virtual hosts and DNS zones... it needs to use the public IP addresses for DNS, but the private IPs for the virtual host configuration, and as I said it isn't aware of both).

    What I have posted above is just a workaround.

    -Chris
    Last edited by 6PS-Chris; 06-30-2005 at 10:14 AM.

  7. #7
    Join Date
    Jun 2005
    Location
    Grand Junction, CO
    Posts
    34
    Hmm, I didn't know about the alias command. I do the DNS translations all in one step on one of the networks I manage with the following syntax:

    static (inside,OUTSIDE) PUBLIC.IP PRIVATE.IP dns

    This assigns a static NAT translation plus does the DNS rewrites for you. The 'dns' at the end is important. Of course, this is on a PIX 515E so it may be different.

    Thanks,

    Steven
    Steven Eppler
    Eppler Software Hosting
    Fast, Reliable, Affordable

  8. #8
    Join Date
    Sep 2002
    Location
    Nashville, TN
    Posts
    237
    Interesting... does it do it both ways? so if you make a DNS request from inside, it rewrites it to the internal IP if the response contains the public IP?

    -Chris

  9. #9
    Join Date
    Jun 2005
    Location
    Grand Junction, CO
    Posts
    34
    Internal requests get handled by your internal DNS server, so it natuarally gets the internal addresses. External requests must pass through the firewall so they get modified with the correct external addresses.
    Steven Eppler
    Eppler Software Hosting
    Fast, Reliable, Affordable

  10. #10
    Join Date
    Sep 2002
    Location
    Nashville, TN
    Posts
    237
    We don't have central DNS servers internally... I see how that would work, though... thanks for sharing that

    -Chris

  11. #11
    Join Date
    Aug 2002
    Location
    Denmark
    Posts
    432
    Wouldn't the best solution just be to dumt the local IP adresses. Get a extre public IP for the firewall and then just route the servers IP adresses thourg the firewall?
    Checkout www.crunzh.com for nice freeware programs. Including a program for monitoring your webserver.
    Any opinions in this post, unless otherwise noted, are my own personal opinions.

  12. #12
    Join Date
    Mar 2001
    Location
    Ireland
    Posts
    1,354
    Why are you using NAT?
    Can't you put public IPs behind the firewall and have the required ports open?
    Blacknight
    ICANN accredited domain registrar

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •