Solved

Adding an internal IP to Cisco ASA 5505

Posted on 2013-10-26
7
487 Views
Last Modified: 2013-10-31
Hello,

I need to add another domain to my server, and I need it to be behind the firewall.
I currently host 3 domains on my server and have separate IP addresses for each.
Is it possible to add another internal IP (i.e. 10.0.0.4) to the firewall WITHOUT requesting an additional (4th) IP address for the server?

When I try to add a static NAT rule for another internal IP (10.0.0.4) and specify an existing IP address, it gives me a warning that I'm not really ADDING a new rule, but simply modifying an existing one, which leads me to believe I will break an existing domain while trying to add the new one.

Please advise.
0
Comment
Question by:chaseivey
  • 4
  • 2
7 Comments
 

Author Comment

by:chaseivey
ID: 39602926
BTW, here are the instructions I was given to add internal IP addresses for domain hosting:

http://support.godaddy.com/help/article/6365/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-traditional?locale=en

I don't know much about firewalls AT ALL (just know I need one), so I'm following these instructions without really thinking.  I saw on a forum somewhere that a DYNAMIC NAT rule may be what I need (as opposed to static), but again...I'm so afraid to break something that I don't want to play around with it without proper instruction, mainly because I have 3 domains in production currently on the server.

ANY and ALL help concerning this matter is appreciated.  I will be happy to give more clarity if needed.  Thanks.
0
 

Author Comment

by:chaseivey
ID: 39602935
When I follow the above instructions, I get this error:

This operation will modify the Static NAT rule.  The modified Static NAT rule cannot be configured, as it overlaps with following existing rules
0
 
LVL 7

Expert Comment

by:HalldorG
ID: 39603660
If this is for https the answer is NO.  You need one ip address for each https host.
If you are not running https you can just use host headers to control which url gets which web page.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:chaseivey
ID: 39604069
I will be using https, as this domain will be for e-commerce.
So then, just to be clear:  I DO need to request an additional IP for this?
0
 
LVL 7

Assisted Solution

by:HalldorG
HalldorG earned 250 total points
ID: 39604099
Yes one ip address per https server
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 250 total points
ID: 39605346
If you stop and think about what you're asking the router to do, the answer becomes obvious.

For outbound connections, you ask the router to contact a remote host "out there" in the Internet, and to forward the response back to you. By using pseudo-random port numbers, this is accomplished rather easily.

But for inbound connections, you ask the router to take in inbound connection and just forward it to one of your servers. This can only be done if you have PRE-DEFINED what to do with connections on specific ports. But the router doesn't know anything about any of these protocols (it's not a proxy, just a NAT server) -- so the port number (and IP address) is really all it has to go on.

So assuming you have only 1 server, you can port forward all of the ports for all of the services you want to provide to Internet hosts -- like your web server, your database server, your DNS server, your mail server, etc....

But if you have MORE THAN ONE web server, you're going beyond the capability of the router to know what web server the request is for.... remember, all it has is an IP address and a port number (80 or 443)...

So, to have a supplemental web server on your LAN, you need an additional WAN IP to differentiate between the actual servers (one WAN IP will forward to one server, the other to the other server)... and you CAN have failover (with most routers).

HOWEVER, if you differentiate your servers:
 - one web server
 - different email server
 - different database server
 - and so on...

Then you can STILL have just 1 IP, and all of these servers -- because each one uses different ports, so the definitions for which server belongs to which port number can still be deterministic. Its really only when you're adding a second server for the same service (OK, same port number) that you need to have a separate WAN IP....

I hope this explanation helps...

Dan
IT4SOHO
0
 

Author Closing Comment

by:chaseivey
ID: 39615362
Thank you
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now