Solved

Adding an internal IP to Cisco ASA 5505

Posted on 2013-10-26
7
484 Views
Last Modified: 2013-10-31
Hello,

I need to add another domain to my server, and I need it to be behind the firewall.
I currently host 3 domains on my server and have separate IP addresses for each.
Is it possible to add another internal IP (i.e. 10.0.0.4) to the firewall WITHOUT requesting an additional (4th) IP address for the server?

When I try to add a static NAT rule for another internal IP (10.0.0.4) and specify an existing IP address, it gives me a warning that I'm not really ADDING a new rule, but simply modifying an existing one, which leads me to believe I will break an existing domain while trying to add the new one.

Please advise.
0
Comment
Question by:chaseivey
  • 4
  • 2
7 Comments
 

Author Comment

by:chaseivey
ID: 39602926
BTW, here are the instructions I was given to add internal IP addresses for domain hosting:

http://support.godaddy.com/help/article/6365/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-traditional?locale=en

I don't know much about firewalls AT ALL (just know I need one), so I'm following these instructions without really thinking.  I saw on a forum somewhere that a DYNAMIC NAT rule may be what I need (as opposed to static), but again...I'm so afraid to break something that I don't want to play around with it without proper instruction, mainly because I have 3 domains in production currently on the server.

ANY and ALL help concerning this matter is appreciated.  I will be happy to give more clarity if needed.  Thanks.
0
 

Author Comment

by:chaseivey
ID: 39602935
When I follow the above instructions, I get this error:

This operation will modify the Static NAT rule.  The modified Static NAT rule cannot be configured, as it overlaps with following existing rules
0
 
LVL 7

Expert Comment

by:HalldorG
ID: 39603660
If this is for https the answer is NO.  You need one ip address for each https host.
If you are not running https you can just use host headers to control which url gets which web page.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:chaseivey
ID: 39604069
I will be using https, as this domain will be for e-commerce.
So then, just to be clear:  I DO need to request an additional IP for this?
0
 
LVL 7

Assisted Solution

by:HalldorG
HalldorG earned 250 total points
ID: 39604099
Yes one ip address per https server
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 250 total points
ID: 39605346
If you stop and think about what you're asking the router to do, the answer becomes obvious.

For outbound connections, you ask the router to contact a remote host "out there" in the Internet, and to forward the response back to you. By using pseudo-random port numbers, this is accomplished rather easily.

But for inbound connections, you ask the router to take in inbound connection and just forward it to one of your servers. This can only be done if you have PRE-DEFINED what to do with connections on specific ports. But the router doesn't know anything about any of these protocols (it's not a proxy, just a NAT server) -- so the port number (and IP address) is really all it has to go on.

So assuming you have only 1 server, you can port forward all of the ports for all of the services you want to provide to Internet hosts -- like your web server, your database server, your DNS server, your mail server, etc....

But if you have MORE THAN ONE web server, you're going beyond the capability of the router to know what web server the request is for.... remember, all it has is an IP address and a port number (80 or 443)...

So, to have a supplemental web server on your LAN, you need an additional WAN IP to differentiate between the actual servers (one WAN IP will forward to one server, the other to the other server)... and you CAN have failover (with most routers).

HOWEVER, if you differentiate your servers:
 - one web server
 - different email server
 - different database server
 - and so on...

Then you can STILL have just 1 IP, and all of these servers -- because each one uses different ports, so the definitions for which server belongs to which port number can still be deterministic. Its really only when you're adding a second server for the same service (OK, same port number) that you need to have a separate WAN IP....

I hope this explanation helps...

Dan
IT4SOHO
0
 

Author Closing Comment

by:chaseivey
ID: 39615362
Thank you
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now