Single Public to Multiple Private 1

[yawnbob]

I need to provide access to multiple internal web servers and I have very few public addresses. Is there a way I can use a single public address and reach those internal servers? Is something like this possible?

206.x.x.100 port 81 --- 10.11.12.150 port 80
206.x.x.100 port 82 --- 10.11.12.151 port 80
206.x.x.100 port 83 --- 10.11.12.152 port 80
206.x.x.100 port 84 --- 10.11.12.153 port 80

The internal servers are separate physical devices. Is this considered NAPT and can PIX 6.x do this?

Thanks.

 

[voltron1011]

It will work, however you would need to have users type 206.x.x.100:81 (82, 83) everytime they want access. If these servers are serving out to the public, it would not be feasable.

 

[voltron1011]

If all of the servers are the same, you can setup a Content Services Switch that will handle all of your internal servers, but to Joe Public they only appear as one.

 

[yawnbob]

How would this be possible? When I try to assign two internal hosts to the same external host address I get an error. That makes sense but is there no way to identify that a request on port 82 goes to internal host x.x.x.x? Or this something that cannot be configured with the PIX Device Manager? Again, just asking.

 

[voltron1011]

On the pix you need to set up a static translation like this:

static (inside,outside) tcp 65.179.xxx.3

http://www 10.100.9.24

81 netmask 255.255.255.255 0 0
static (inside,outside) tcp 65.179.xxx.3

http://www 10.100.9.24

82 netmask 255.255.255.255 0 0
static (inside,outside) tcp 65.179.xxx.3

http://www 10.100.9.24

83 netmask 255.255.255.255 0 0
static (inside,outside) tcp 65.179.xxx.3

http://www 10.100.9.24

84 netmask 255.255.255.255 0 0

 

[voltron1011]

Actually, let me correct the post above... You'd need to assign different ip's to the your web servers.

static (inside,outside) tcp 65.179.xxx.3 81 10.100.9.24

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp 65.179.xxx.3 82 10.100.9.25

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp 65.179.xxx.3 83 10.100.9.26

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp 65.179.xxx.3 84 10.100.9.27

http://www netmask

255.255.255.255 0 0

 

[voltron1011]

Even with the config above, there is no feasable way to get your users to enter in those other ports like 81, 82, and 83 (except 80).

http://WWW traffic

is only on ort 80.

 

[Supergrrover]

You can open a web page on an alternate port

http://www.whatever.com:##

use whatever number ## you want.

If these are internal users to the company, you can create a shortcut and send it to them.

Also possible, you can also make a webpage off port 80 that allows them to select a link to the site/server you want that has the port embedded in the link.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[voltron1011]

You are correct Supergrover, you can do the embeded non-port 80 work, but like I said you will need them to access a main page first where they can then click to the other servers. You can't expect external users to have to type in a web address followed by :39900 (arbitrary high random port).

User request on port 80 ===> Main Webserver listening on port 80 with links to other servers ===> Link to ports 31000, 31001, 31002 of the other 3 servers listening on those ports.

This would be seamless to a user.

 

[yawnbob]

Thanks voltron1011,
That was exactly what I needed!