Solved: Multiple Global IPs, Multiple Domains, Single Local IP that hosts multiple webservers

polofalltrades · ‎03-08-2010

Hi all,

Good day to the Cisco Support Community AKA Netpro . I am not so sure where to post my question because it spans of two major topics. One is webhosting and the other one is NAT-ing. You see we have a problem, currently, we have a Pix 515E provided as a service unit because our local reseller failed to deliver the 5510 on time due to shipment issues. The current PIX firewall is running the ASA version software. I just can't remember the exact Software version, but definitely it is 7.x.

Our company has a local, single serverbox which hosts multiple webservers and domains and it is running on IIS. We have multiple Public IP addresses and multiple domains. Prevously, we have our Endian Firewall to do this task of NAT-ing that single LAN IP address on the server, to multiple Public IPs and domains, using of course, the same port 80 to establish http connections. I guess it would be clearer if it goes on like this.

192.168.100.5 ---> (NAT via UTM) ---> Public IP 1:80 www.sample1.com

192.168.100.5 ---> (NAT via UTM) ---> Public IP 2:80 www.sample2.com

192.168.100.5 ---> (NAT via UTM) ---> Public IP 3:80 www.sample3.com

For example, I'll go to www.sample1.com, It'll translate my query to Public IP 1 requesting http of the local server. Then I'll go to www.sample2.com, It'll translate my query to Public IP 2 requesting http again of the local server. The rest follows suit.

As I understand, what I am trying to do is a reverse of how PAT works, translating a single local IP address to multiple Public IP addresses.

Now, is there a way to achieve this using a PIX/ASA Firewall? Because with my simple understanding of how to configure the PIX/ASA, this is not possible. I am only aware of how to configure NAT on a PIX/ASA Firewall using multiple servers to a public IP, PAT, or use a simple NAT 1:1 map using different ports. Help would definitely be appreciated. I am very well confident that if Endian Firewalls can do such, then Cisco can do it better. Thanks in advance guys!

KARUPPUCHAMY MALAIYANDI · ‎03-08-2010

HI...

Ha..Ha..Ha.

Yes.. cisco can give a solution for your requirement.

Step by Step Configuration

1.Configure ACL

policy_nat_web1 and policy_nat_web2 are two access-lists that match the source address we want to translate on. Two access-lists are required, though they can be exactly the same.

access-list policy_nat_web1 extended permit ip host 192.168.100.50 any

access-list policy_nat_web2 extended permit ip host 192.168.100.50 any

2.write the acl for your all public IPs to allow HTTP access from internet

access-list inbound_outside extended permit tcp any host  eq www
access-list inbound_outside extended permit tcp any host  eq www
access-list inbound_outside extended permit tcp any host  eq www


3.configure NAT

static (inside,outside)   access-list policy_nat_web1
static (inside,outside)   access-list policy_nat_web2


4.Apply the ACL

access-group inbound_outside in interface outside

Hope it will help u.

Regards
Karuppu

View solution in original post

KARUPPUCHAMY MALAIYANDI · ‎03-08-2010