cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2801
Views
5
Helpful
9
Replies

How does the ASA handle Host Headers for a webserver

Steven Williams
Level 4
Level 4

If I have an IIS webserver with multiple private IP address, and a site assigned to each of these private IPs. I have defined all internal private IPs in the ASA and now I want to map 1 public IP to all sites on these different private IP's but need to use port 80, is this possible?                  

1 Accepted Solution

Accepted Solutions

Jouni is right (+5). Common web servers (including IIS and Apache) can redirect an incoming HTTP request matching based on the URL string. So you can have as many DNS names mapping to the same public IP address as you like and get the web server itself to route the request to the correct site. In IIS this is done with URL_Rewrite.

The attached link may assist.

http://weblogs.asp.net/owscott/archive/2010/01/26/iis-url-rewrite-hosting-multiple-domains-under-one-site.aspx

HTH

Barry Hesk

Intrinsic Network Solutions

View solution in original post

9 Replies 9

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Well you wont be able to forward the port TCP/80 with a single public IP address to multiple internal hosts.

The ASA doesnt have anything to differentiate to which host it should forward the connection coming to the single public IP address on the destination port TCP/80.

In the older software 8.2 and earlier the ASA wont even let you configure something like this. It will accept the first Static PAT (Port Forward) configuation but will reject the second one if there is overlap. On the newer softwares the ASA might let you configure it but it still wont work. The first configured Static PAT would work but the next rule would never be hit by traffic.

The only way with ASA would probably be having a different public/mapped TCP port for each server while the local port at the server could still be TCP/80.

- Jouni

So this is not possible?? What if I only have 5 public IP addresses and I need 10 websites? How can I do this?

Hi,

Not so familiar with the server side but I would imagine that your single server would hold the public IP address (or just have the needed ports forwarded to it) but it would still be hosting multiple websites.

To my understanding ASA wouldnt be doing anything special but it would be rather down to the Web server configurations and public DNS configurations to make it work.

- Jouni

I would imagine it comes down to something like this mentioned on this site?

http://httpd.apache.org/docs/current/vhosts/name-based.html

- Jouni

So your saying that rather then having the webserver sit on the DMZ subnet, expose it to the internet using the public IP address? It would essentially take the ASA out of the equation?

No,

I dont see any problem having the server on the DMZ.

You can either use Static PAT for the server on the DMZ if you only have the public IP address on the ASAs "outside" interface.

If you have a spare public IP address you could naturally configure Static NAT which would bind a single public IP address to be used only by the single local IP address of the server.

What I am not personally familiar is setting up a web server. I have never done so as I dont really handle any sort of IT/server side. But to my understanding for example our ISP hosts its consumer web pages under a single public IP address and hosting multiple different sites is handled rather by the actual server and the public DNS configurations and not by any firewall forwarding ports to multiple internal IP addresses (which was to my understanding what you were originally trying to achieve)

- Jouni

Jouni is right (+5). Common web servers (including IIS and Apache) can redirect an incoming HTTP request matching based on the URL string. So you can have as many DNS names mapping to the same public IP address as you like and get the web server itself to route the request to the correct site. In IIS this is done with URL_Rewrite.

The attached link may assist.

http://weblogs.asp.net/owscott/archive/2010/01/26/iis-url-rewrite-hosting-multiple-domains-under-one-site.aspx

HTH

Barry Hesk

Intrinsic Network Solutions

Hi,

Thanks for the unexpected rating

Thanks also for confirming what I thought.

Endorsed the reply since I'd imagine the information might help others too

- Jouni

I know this is a old thread and maybe no one is watching it anymore but I'm going to be dealing with a similar situation and trying to sort it out.  All my past experience is with non-Cisco products so I a not familiar with ASA (yet).

In the original question here I think it is complicated by having multiple private IPs on the *same* web server. This should not really be. Since it is one server it can do fine with multple sites all runing on the same port 80 and the same IP# as long as they are separated via Host Headers.  If this were done then the question to me would be "Does the ASA retain the hostHeader when it passed the traffic back to the web server?" If the answer to that is "Yes" then the problem is solved.  The ASA does not need to "care" about individual web sites,...all it has to do is take whatever comes in on the Public IP on port 80 and send it back the the Web server on port 80 at whatever Single IP# it is (should be) running and then the Web Server software "sorts it out" and picks the correct web site to feed it to.

Would this be a correct way to look at it?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: