Solved

Adding an internal IP to Cisco ASA 5505

Posted on 2013-10-26
7
495 Views
Last Modified: 2013-10-31
Hello,

I need to add another domain to my server, and I need it to be behind the firewall.
I currently host 3 domains on my server and have separate IP addresses for each.
Is it possible to add another internal IP (i.e. 10.0.0.4) to the firewall WITHOUT requesting an additional (4th) IP address for the server?

When I try to add a static NAT rule for another internal IP (10.0.0.4) and specify an existing IP address, it gives me a warning that I'm not really ADDING a new rule, but simply modifying an existing one, which leads me to believe I will break an existing domain while trying to add the new one.

Please advise.
0
Comment
Question by:chaseivey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 

Author Comment

by:chaseivey
ID: 39602926
BTW, here are the instructions I was given to add internal IP addresses for domain hosting:

http://support.godaddy.com/help/article/6365/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-traditional?locale=en

I don't know much about firewalls AT ALL (just know I need one), so I'm following these instructions without really thinking.  I saw on a forum somewhere that a DYNAMIC NAT rule may be what I need (as opposed to static), but again...I'm so afraid to break something that I don't want to play around with it without proper instruction, mainly because I have 3 domains in production currently on the server.

ANY and ALL help concerning this matter is appreciated.  I will be happy to give more clarity if needed.  Thanks.
0
 

Author Comment

by:chaseivey
ID: 39602935
When I follow the above instructions, I get this error:

This operation will modify the Static NAT rule.  The modified Static NAT rule cannot be configured, as it overlaps with following existing rules
0
 
LVL 7

Expert Comment

by:HalldorG
ID: 39603660
If this is for https the answer is NO.  You need one ip address for each https host.
If you are not running https you can just use host headers to control which url gets which web page.
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 

Author Comment

by:chaseivey
ID: 39604069
I will be using https, as this domain will be for e-commerce.
So then, just to be clear:  I DO need to request an additional IP for this?
0
 
LVL 7

Assisted Solution

by:HalldorG
HalldorG earned 250 total points
ID: 39604099
Yes one ip address per https server
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 250 total points
ID: 39605346
If you stop and think about what you're asking the router to do, the answer becomes obvious.

For outbound connections, you ask the router to contact a remote host "out there" in the Internet, and to forward the response back to you. By using pseudo-random port numbers, this is accomplished rather easily.

But for inbound connections, you ask the router to take in inbound connection and just forward it to one of your servers. This can only be done if you have PRE-DEFINED what to do with connections on specific ports. But the router doesn't know anything about any of these protocols (it's not a proxy, just a NAT server) -- so the port number (and IP address) is really all it has to go on.

So assuming you have only 1 server, you can port forward all of the ports for all of the services you want to provide to Internet hosts -- like your web server, your database server, your DNS server, your mail server, etc....

But if you have MORE THAN ONE web server, you're going beyond the capability of the router to know what web server the request is for.... remember, all it has is an IP address and a port number (80 or 443)...

So, to have a supplemental web server on your LAN, you need an additional WAN IP to differentiate between the actual servers (one WAN IP will forward to one server, the other to the other server)... and you CAN have failover (with most routers).

HOWEVER, if you differentiate your servers:
 - one web server
 - different email server
 - different database server
 - and so on...

Then you can STILL have just 1 IP, and all of these servers -- because each one uses different ports, so the definitions for which server belongs to which port number can still be deterministic. Its really only when you're adding a second server for the same service (OK, same port number) that you need to have a separate WAN IP....

I hope this explanation helps...

Dan
IT4SOHO
0
 

Author Closing Comment

by:chaseivey
ID: 39615362
Thank you
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question