Two parter

[LittleFishy]

Part 1 - Currently our internal intranet site is sitting on our Exchange server allowing remote access to it. I want to move this on to it's own server, but still allow access. I can give the server it's own external (193.*.*.*) and internal IP (172.31.*.*), but I need to make sure I get the PIX settings right. I was going for

access-list outside_in permit tcp any host 193.*.*.* eq www

as a first step, but now I'm not so sure. Could anyone help with the correct entries.

Part 2 - Our internal intranet site will be on a Win2K server, what is the best way of making the access as secure as possible?

Thanks for any help.

 

[LittleFishy]

I've had a thought would this be right?

access-list acl_out permit tcp any host 193.*.*.* eq www

static (inside,outside) 193.*.*.* 172.31.*.* netmask 255.255.255.255 0 0

 

[Supergrrover]

That will work. You can also just add the ports that you want to have statics for. That way it doesn't leave the server totally open in that respect.

static (inside,outside) tcp 193.*.*.* [port#] 172.31.*.* [port#] netmask 255.255.255.255 0 0

and just make the port 80 and/or 443 (a new static for each port)

For max security - you should put these in a DMZ that has very limited access to you internal network and use VPN from the outside. For securing the W2K server - MS has a baseline security tool and a few other tools to help lock down IIS. Turn off all uneeded services and components in IIS. Patch, patch, patch and try that forum. I know they will have much more to say on that topic.

Brent
Systems Engineer / Consultant
CCNP, CCSP