Solved

Adding an internal IP to Cisco ASA 5505

Posted on 2013-10-26
7
493 Views
Last Modified: 2013-10-31
Hello,

I need to add another domain to my server, and I need it to be behind the firewall.
I currently host 3 domains on my server and have separate IP addresses for each.
Is it possible to add another internal IP (i.e. 10.0.0.4) to the firewall WITHOUT requesting an additional (4th) IP address for the server?

When I try to add a static NAT rule for another internal IP (10.0.0.4) and specify an existing IP address, it gives me a warning that I'm not really ADDING a new rule, but simply modifying an existing one, which leads me to believe I will break an existing domain while trying to add the new one.

Please advise.
0
Comment
Question by:chaseivey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 

Author Comment

by:chaseivey
ID: 39602926
BTW, here are the instructions I was given to add internal IP addresses for domain hosting:

http://support.godaddy.com/help/article/6365/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-traditional?locale=en

I don't know much about firewalls AT ALL (just know I need one), so I'm following these instructions without really thinking.  I saw on a forum somewhere that a DYNAMIC NAT rule may be what I need (as opposed to static), but again...I'm so afraid to break something that I don't want to play around with it without proper instruction, mainly because I have 3 domains in production currently on the server.

ANY and ALL help concerning this matter is appreciated.  I will be happy to give more clarity if needed.  Thanks.
0
 

Author Comment

by:chaseivey
ID: 39602935
When I follow the above instructions, I get this error:

This operation will modify the Static NAT rule.  The modified Static NAT rule cannot be configured, as it overlaps with following existing rules
0
 
LVL 7

Expert Comment

by:HalldorG
ID: 39603660
If this is for https the answer is NO.  You need one ip address for each https host.
If you are not running https you can just use host headers to control which url gets which web page.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:chaseivey
ID: 39604069
I will be using https, as this domain will be for e-commerce.
So then, just to be clear:  I DO need to request an additional IP for this?
0
 
LVL 7

Assisted Solution

by:HalldorG
HalldorG earned 250 total points
ID: 39604099
Yes one ip address per https server
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 250 total points
ID: 39605346
If you stop and think about what you're asking the router to do, the answer becomes obvious.

For outbound connections, you ask the router to contact a remote host "out there" in the Internet, and to forward the response back to you. By using pseudo-random port numbers, this is accomplished rather easily.

But for inbound connections, you ask the router to take in inbound connection and just forward it to one of your servers. This can only be done if you have PRE-DEFINED what to do with connections on specific ports. But the router doesn't know anything about any of these protocols (it's not a proxy, just a NAT server) -- so the port number (and IP address) is really all it has to go on.

So assuming you have only 1 server, you can port forward all of the ports for all of the services you want to provide to Internet hosts -- like your web server, your database server, your DNS server, your mail server, etc....

But if you have MORE THAN ONE web server, you're going beyond the capability of the router to know what web server the request is for.... remember, all it has is an IP address and a port number (80 or 443)...

So, to have a supplemental web server on your LAN, you need an additional WAN IP to differentiate between the actual servers (one WAN IP will forward to one server, the other to the other server)... and you CAN have failover (with most routers).

HOWEVER, if you differentiate your servers:
 - one web server
 - different email server
 - different database server
 - and so on...

Then you can STILL have just 1 IP, and all of these servers -- because each one uses different ports, so the definitions for which server belongs to which port number can still be deterministic. Its really only when you're adding a second server for the same service (OK, same port number) that you need to have a separate WAN IP....

I hope this explanation helps...

Dan
IT4SOHO
0
 

Author Closing Comment

by:chaseivey
ID: 39615362
Thank you
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question