Apache Virtual Hosts Examples

If you want multiple VirtualHosts on the same IP address and port you are going to require a NamedVirtualHost directive.

If you are configuring multiple virtual hosts on different IP addresses but all on the same port you do NOT require the NamedVirtualHost directive.

If you are configuring multiple virtual hosts on the same IP address but different ports you do not require the NamedVirtualHost directive.

NOTE: You can run a combination of all of the above if you wish!

You can specify a range of port to listen on as well.

Listen 40000:40500
Advertisements

Policy NAT with ASA Firewalls

The below information was taken from here: http://www.rsivanandan.com/2009/09/25/policy-nat-with-cisco-asa-firewalls/

One of the most common things in every ASA/PIX firewalls is the nat configuration for outgoing connections; something like this;

hostname(config)# nat(inside) 1 0.0.0.0 0.0.0.0
hostname(config)# global (outside) 1 interface

This tells the firewall that all traffic coming from inside (local lan) interface should be PAT’ed and route before it goes out through the outside (like internet). Now you can also define this with an access-list for much filtered Natting. Say; you have 2 networks in your local lan and want only one of them to be Pat’ed like above;

We call it, 10.0.0.0/8 and 192.168.1.0/24 and only the second one should be natted; This is achieved through the following statements;

hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0
hostname(config)# global (outside) 1 interface

Similarly, you can use an access-list for much controlled Natting like below;

hostname(config)# nat (inside) 1 access-list 10
hostname(config)# global (outside) 1 interface
access-list 10 permit ip 192.168.1.0 255.255.255.0

The beauty is, you can even control this Natting using specific protocols/ports combination. Say, if you want to allow only internet browsing (http & https) to be allowed, then;

hostname(config)# nat (inside) 1 access-list 100
hostname(config)# global (outside) 1 interface
access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq 80
access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq 443

See an advantage here? You can avoid having a separate access-list to be inserted for this purpose on the outside interface. Now, there is another way where you don’t want to nat, achieved through nat(inside)0. Typically this is used for VPN connections. When you have VPN terminated onto ASA/PIX, You won’t be Natting the traffic going through that and you achieve it by adding;

nat(inside)0 access-list 10
access-list 10 permit 10.0.0.0 255.0.0.0

OR

nat(inside)0 10.0.0.0 255.0.0.0

However there is a difference with nat (inside) 0 statements, you cannot control the NAT functionality based on protocols/ports, it is only IP. For example;

nat (inside) 0 access-list 100
access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq 80

The above will not work. This is the limitation and you’d have to go for regular access-lists on your interfaces if you want to stop these traffic.

In Cisco’s own words;

On ASA, the policy nat cannot be applied on nat(0) statements and is not supported;

Identifies the local addresses and destination addresses using an extended access list, also known as policy NAT. Create the access list using the access-list command. You can optionally specify the local and destination ports in the access list using the eq operator. If the NAT ID is 0, then the access list specifies addresses that are exempt from NAT. NAT exemption is not the same as policy NAT; you cannot specify the port addresses, for example.
Note      Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists.