Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to point 1 Public IP to multiple ips in DMZ

Status
Not open for further replies.
zamriyusoff

zamriyusoff

IS-IT--Management
Jul 20, 2005
4
MY
Hi,
FYI, I'm neither a network guy nor System Administrator but I having this problem.
My Servers are behind PIX Firewall. I have 1 public IP that is referred by a few Domain Names. The question is, how to do the translation in the PIX Firewall so that if request coming from a particular domain name will be redirected to the specific server for that name only.

May be the illustrastion below may help;

let say domain mail.abc.com, me.abc.com are pointing to the same public Ip (202.188.0.x).
In the PIX Firewall, I need to translate each connection to respective server, for eaxmple;
- any request for will point to server with IP 172.16.0.1
- Request from mail.abc.com will point to another server with ip address 172.16.0.2
- Request from me.abc.com will point to a server with ip address of 172.16.0.1 at port 8181

Any feedback are welcomed.

Thanks and Best Regards,
Zamri
 
Sort by date Sort by votes
You can't. You could however choose one server to use for redirecting to the other sites, but it will never be quite as usefull as having all sites on the same server or cluster servers.

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :
 
Upvote 0 Downvote
The problem is that the information about the HTTP site is in the layer 4+ headers. Neither a PIX nor a router have the ability to look into those headers - they only look at layers 1-3.

You could put an appliance in front of your PIX, such as a Cisco 11000 or a F5 device that can look at the layer 4+ header information, and then use NAT to send the packets to different servers.

I wouldn't put a server in front of my PIX because they're much more vulnerable than appliances. Mind you appliances are still vulnerable, just not as much so.

If your servers are on different DMZs, I also wouldn't necessarily do the redirecting after the PIX. If you did that, traffic going to IP1 would go through the PIX to the first dmz where the appliance/server was. This device would determine which server is the ultimate destination, and NAT the destination IP address and send the traffic back out. If that server is on a separate DMZ, it will have to go back through the PIX to the destination DMZ. The server then processes the data, sends it back through the PIX to the DMZ where the server/appliance is where it NATs it back and then sends it back through the PIX to the requestor. That's a lot of rather unnecessary trips through the PIX.
 
Upvote 0 Downvote
OK guy, thanks for the feedback. I will find another workaround for this.

Rgds,
Zamri
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
579
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
535
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
469
XLNTech1
XLNTech1
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
146
kythri
kythri
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
140
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top