cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

70
Views
0
Helpful
2
Replies
Enthusiast

Multiple RFC 1918 Web servers accessable from the Internet via 1 public IP

 

We are looking for options to support our multiple DMZ based Web (HTTP) servers to be accessed from the Internet

 

We have 10 Web servers in the DMZ using RFC 1918 addressing as such:

WS1 172.16.5.1 /24

WS2 172.16.5.2 /24

WS3 172.16.5.3 /24

etc. up to WS10 172.16.5.10 /24

 

Invalid options:

  1. Changing the HTTP port on each web server to a different port (as WS1 HTTP=8081, WS2 HTTP=8082, WS3 HTTP=8083 etc.) is not an acceptable solution as regular non-technical users will access these web servers and each web server servers different web content.

  2. Migrating all web pages onto the same server is not a solution in this case either. Each web server must be addressable on a different RFC 1918 IP address due to internal requirements.

  3. We cannot assign Public IP addresses to the DMZ web servers.

 

Our Cisco ASA 5512-X has a single public IP address on the Outside interface.

 

It appears a NAT option is needed and additionally (I guess) some type of device that can read the URL and direct the requests to the correct web server is needed.

 

Is there a solution we could enable on a Cisco router to fix this dilemma?

Thank you

Frank

Everyone's tags (1)
2 REPLIES 2
Highlighted
Beginner

You can't do exactly as you

You can't do exactly as you wish with just an ASA firewall. You could get a reverse proxy and/or webapplication firewall to handle this for you. However you should note that if these webservers use SSL or not as there are complications with using SNI.

Enthusiast

Hi Seth,Thanks, I just

Hi Seth,

Thanks, I just downloaded a free trail copy of a reverse proxy server to install in the lab environment. I also understand a BlueCoat and F5 would also support this setup.

I remember reading a Cisco post where a Cisco router could be used to read URL strings in packets and using PBR route to the correct end-host web server. I'll keep looking.

Thanks again

Frank

CreatePlease to create content
Content for Community-Ad