We are looking for options to support our multiple DMZ based Web (HTTP) servers to be accessed from the Internet
We have 10 Web servers in the DMZ using RFC 1918 addressing as such:
WS1 172.16.5.1 /24
WS2 172.16.5.2 /24
WS3 172.16.5.3 /24
etc. up to WS10 172.16.5.10 /24
Changing the HTTP port on each web server to a different port (as WS1 HTTP=8081, WS2 HTTP=8082, WS3 HTTP=8083 etc.) is not an acceptable solution as regular non-technical users will access these web servers and each web server servers different web content.
Migrating all web pages onto the same server is not a solution in this case either. Each web server must be addressable on a different RFC 1918 IP address due to internal requirements.
We cannot assign Public IP addresses to the DMZ web servers.
Our Cisco ASA 5512-X has a single public IP address on the Outside interface.
It appears a NAT option is needed and additionally (I guess) some type of device that can read the URL and direct the requests to the correct web server is needed.
Is there a solution we could enable on a Cisco router to fix this dilemma?
You can't do exactly as you wish with just an ASA firewall. You could get a reverse proxy and/or webapplication firewall to handle this for you. However you should note that if these webservers use SSL or not as there are complications with using SNI.
Thanks, I just downloaded a free trail copy of a reverse proxy server to install in the lab environment. I also understand a BlueCoat and F5 would also support this setup.
I remember reading a Cisco post where a Cisco router could be used to read URL strings in packets and using PBR route to the correct end-host web server. I'll keep looking.