Port forwarding with single external IP

Answered Question
Aug 17th, 2010

Hello gurus!

Our educational agency has been running on a 6x T1 Internet access with a class C IP range (256 addresses). Each of our Internet facing servers had a static external address (~10 total) and everything worked hunky dory.

The upper bodies that govern have decided to no longer pay for the Internet access… We’d also lose the IP addresses along the way. I thought this would be a good time to put the ASA-5510 that has been collecting dust on the shelf for 2 years into production. It would replace an ageing PIX 515. Now we have to scramble to find an ISP and if they can’t provide at least 3 or 4 IP addresses, I was wondering if everything could be routed through a single IP like shown in the attached diagram.

I'm in no way proficient with configuring a router from scratch, even less so when it comes to port forwarding. I know the 5510 can do NAT and PAT, but what about access to the 2 web servers? Can the 5510 distinguish the traffic meant for one or the other on port 80 and route accordingly? And I’m not sure of the video-conference unit… That might need to be on its own Internet access.

Any thoughts or suggestions would be welcome! I might add that cost is crucial since our budget has been slashed too...

Thanks, Dave

I have this problem too.
0 votes
Correct Answer by Kha29096335 about 6 years 5 months ago

Hi,

As far i know the only way to map a single WAN IP to many LAN Hosts is trough NATP (port forwarding). You will need configure each Web server in two different ports (from the WAN side) and the router will know the destination host depending on the destination port.

You will need use IP NAT INSIDE SOURCE STATIC sentences for each forwarding, thus, a Web Server would be on port 80 but the another one must be on a different port (but same address since you will have only a public IP).

This forces the client to specify the port to acceding to the web server with the no standard WWW port number...or....

You can configure a unique Web server and depending on the URL this server redirects to server A or B, but this is server programming and to have 3 servers.

Apart of this i'm out of ideas, may be some one would help you more. Good luck.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Kha29096335 Tue, 08/17/2010 - 09:45

Hi,

As far i know the only way to map a single WAN IP to many LAN Hosts is trough NATP (port forwarding). You will need configure each Web server in two different ports (from the WAN side) and the router will know the destination host depending on the destination port.

You will need use IP NAT INSIDE SOURCE STATIC sentences for each forwarding, thus, a Web Server would be on port 80 but the another one must be on a different port (but same address since you will have only a public IP).

This forces the client to specify the port to acceding to the web server with the no standard WWW port number...or....

You can configure a unique Web server and depending on the URL this server redirects to server A or B, but this is server programming and to have 3 servers.

Apart of this i'm out of ideas, may be some one would help you more. Good luck.

Nagaraja Thanthry Tue, 08/17/2010 - 09:54

Hello,

You can certainly achieve what you are looking for using ASA. However, some

problems that you might come across if you have a single IP are:

-- You cannot forward port 80 to two servers simultaneously

-- Video conferencing (as you had pointed out) might require a separate IP

address

-- VPN (if you are using an internal device as vpn server) could create some

issues. You might need a separate IP address depending upon the type of VPN.

Email/HTTP should not be an issue and the firewall will easily be able to

translate the ports.

Hope this helps.

Regards,

NT

daverutz58 Tue, 08/17/2010 - 12:16

Thanks guys,

I was somehow hoping that either the ASA or the Catalyst could capture the traffic header, read the URL info, then direct to the appropriate internal IP or switch port. I didn't want to have people start putting port numbers in the URL. If neither of these devices can do that, wonder if something like Untangle could...

I was counting on using the VPN in the ASA, getting rid of the internal VPN server.

OWA is through HTTPS so hope that works ok...

Dave

daverutz58 Wed, 08/25/2010 - 08:50

I’m not very proficient with router configs from scratch so if anyone is good at that, please raise your hand! I’d want to pre-configure the ASA (NAT and PAT) so that once the line is active in our office, I’d disconnect the old PIX router, connect the new one and hope for the best (with a single IP). Would anyone that has the know-how have the time to maybe write out what I’d have to type in the ASA v8.2 CLI ? The layout can be found here: http://drop.io/resanet

Basically:

-       External IP: 74.xx.xx.111 – All external traffic is routed to this

-       HTTP traffic goes to 10.165.10.3

o   The ASA can’t read host-headers so I’d have to rely on IIS7 ARR on a server (or another solution) to handle the various port 80 routing to the various web servers

-       HTTPS traffic goes to 10.165.11.26 (for OWA)

-       SMTP goes to 10.165.10.6

-       VPN goes to the server that’s already being used (10.165.10.10) or I’d let the ASA handle VPN (with RADIUS-NPS on 10.165.11.13) - Basic license

-       I’m not yet sure about the upload speed of the ADSL line (10MB DL) for the Polycom but if it won’t work on the same line with a NATed address, we’d have to get a second DSL line (2-3MB UL) and connect it to the reconfigured PIX with its own external IP

Any adventurous gurus out there with a little time on their hands?

Thanks!

Dave

Actions

This Discussion