?
Solved

Adding an internal IP to Cisco ASA 5505

Posted on 2013-10-26
7
Medium Priority
?
497 Views
Last Modified: 2013-10-31
Hello,

I need to add another domain to my server, and I need it to be behind the firewall.
I currently host 3 domains on my server and have separate IP addresses for each.
Is it possible to add another internal IP (i.e. 10.0.0.4) to the firewall WITHOUT requesting an additional (4th) IP address for the server?

When I try to add a static NAT rule for another internal IP (10.0.0.4) and specify an existing IP address, it gives me a warning that I'm not really ADDING a new rule, but simply modifying an existing one, which leads me to believe I will break an existing domain while trying to add the new one.

Please advise.
0
Comment
Question by:chaseivey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 

Author Comment

by:chaseivey
ID: 39602926
BTW, here are the instructions I was given to add internal IP addresses for domain hosting:

http://support.godaddy.com/help/article/6365/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-traditional?locale=en

I don't know much about firewalls AT ALL (just know I need one), so I'm following these instructions without really thinking.  I saw on a forum somewhere that a DYNAMIC NAT rule may be what I need (as opposed to static), but again...I'm so afraid to break something that I don't want to play around with it without proper instruction, mainly because I have 3 domains in production currently on the server.

ANY and ALL help concerning this matter is appreciated.  I will be happy to give more clarity if needed.  Thanks.
0
 

Author Comment

by:chaseivey
ID: 39602935
When I follow the above instructions, I get this error:

This operation will modify the Static NAT rule.  The modified Static NAT rule cannot be configured, as it overlaps with following existing rules
0
 
LVL 7

Expert Comment

by:HalldorG
ID: 39603660
If this is for https the answer is NO.  You need one ip address for each https host.
If you are not running https you can just use host headers to control which url gets which web page.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:chaseivey
ID: 39604069
I will be using https, as this domain will be for e-commerce.
So then, just to be clear:  I DO need to request an additional IP for this?
0
 
LVL 7

Assisted Solution

by:HalldorG
HalldorG earned 1000 total points
ID: 39604099
Yes one ip address per https server
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 1000 total points
ID: 39605346
If you stop and think about what you're asking the router to do, the answer becomes obvious.

For outbound connections, you ask the router to contact a remote host "out there" in the Internet, and to forward the response back to you. By using pseudo-random port numbers, this is accomplished rather easily.

But for inbound connections, you ask the router to take in inbound connection and just forward it to one of your servers. This can only be done if you have PRE-DEFINED what to do with connections on specific ports. But the router doesn't know anything about any of these protocols (it's not a proxy, just a NAT server) -- so the port number (and IP address) is really all it has to go on.

So assuming you have only 1 server, you can port forward all of the ports for all of the services you want to provide to Internet hosts -- like your web server, your database server, your DNS server, your mail server, etc....

But if you have MORE THAN ONE web server, you're going beyond the capability of the router to know what web server the request is for.... remember, all it has is an IP address and a port number (80 or 443)...

So, to have a supplemental web server on your LAN, you need an additional WAN IP to differentiate between the actual servers (one WAN IP will forward to one server, the other to the other server)... and you CAN have failover (with most routers).

HOWEVER, if you differentiate your servers:
 - one web server
 - different email server
 - different database server
 - and so on...

Then you can STILL have just 1 IP, and all of these servers -- because each one uses different ports, so the definitions for which server belongs to which port number can still be deterministic. Its really only when you're adding a second server for the same service (OK, same port number) that you need to have a separate WAN IP....

I hope this explanation helps...

Dan
IT4SOHO
0
 

Author Closing Comment

by:chaseivey
ID: 39615362
Thank you
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month14 days, 6 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question