ASA Website Question

Unanswered Question
Sep 26th, 2007
User Badges:

Client currently has a website set up on an ISeries box. I have the ASA set up so that the public IP on the outside connects to the ISeries on the inside.


They recently purchased a new web server and are going to host 2 more websites internally on a different IP. This will be coming in on a completely different public IP then the other one. Is it possible to set the ASA up for something like this. I really don't have much background with this.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Wed, 09/26/2007 - 10:03
User Badges:
  • Green, 3000 points or more

Yes, this is possible. You probably have something like this currently...


static (inside,outside) interface iISeries.ip netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq www


So if the new ip is 2.2.2.2 you would just do this...


static (inside,outside) 2.2.2.2 new.webserver.ip netmask 255.255.255.255

access-list outside_access_in permit tcp any host 2.2.2.2 eq www


Just be sure that the isp is routing the new addresses to the outside interface of your ASA.


Please rate helpful posts.

sonitadmin Wed, 09/26/2007 - 10:19
User Badges:

Can you explain this part to me "Just be sure that the isp is routing the new addresses to the outside interface of your ASA."


Thanks!

acomiskey Wed, 09/26/2007 - 10:24
User Badges:
  • Green, 3000 points or more

Sorry I should have clarified. I assumed you were getting new ip addresses. If you are simply using public addresses you already have, part of the same subnet as your ASA outside interface, then disregard what I said. If you are getting new IP addresses then your ISP has to route them to you.

sonitadmin Wed, 09/26/2007 - 10:30
User Badges:

OK, I think I understand it now. The new public IP is one the client already has and is part of the same subnet as the ASA outside interface.


So just for example, I would enter the following commands on the ASA.


static (inside,outside) 192.168.1.5 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 209.173.x.x eq www





acomiskey Wed, 09/26/2007 - 10:36
User Badges:
  • Green, 3000 points or more

Almost you forgot an address in the static command...


static (inside,outside) 209.173.x.x 192.168.1.5 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 209.173.x.x eq www


sonitadmin Wed, 09/26/2007 - 10:49
User Badges:

There is already a command in there that reads


static (inside,outside) tcp interface 3390 192.168.1.5 3390 netmask 255.255.255.255


when I try to enter the command you have listed above I get a warning message.


Any thoughts?

acomiskey Wed, 09/26/2007 - 11:03
User Badges:
  • Green, 3000 points or more

Pretty sure that's just a warning because you already have another static with 192.168.1.5. You'd have to test it to see if it still works. You could also do this and you probably won't get a warning...


static (inside,outside) tcp 209.173.x.x 80 192.168.1.5 80 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 209.173.x.x eq www


sonitadmin Wed, 09/26/2007 - 11:14
User Badges:

I'm not even sure what that other command was for. I noted it and took it out. Entered the command you gave me and it works like a charm. Thanks for all your help!

Actions

This Discussion