I have a setup where I'm routing hundreds to potentially thousands of SSL-enabled websites through a single virtual IP that does SSL offloading and load balancing. Thanks to the design of SSL itself, I need to have each "SSL host" listen on a unique port and/or IP address; in order to simplify the VIP setup, I'm simply assigning each certificate to a different port on the same VIP.
Externally, I want it to appear as if ports 80 and 443 are open on each IP. Internally, I want it so that each external port 80 maps to the internal host's port 80 (using standard HTTP virtual hosts to distinguish), whereas each port 443 maps to a specific internal port. So, for example:
External IP External Port Internal IP Internal Port
1.2.3.1 80 10.0.0.5 80
1.2.3.1 443 10.0.0.5 20001
1.2.3.2 80 10.0.0.5 80
1.2.3.2 443 10.0.0.5 20002
1.2.3.3 80 10.0.0.5 80
1.2.3.3 443 10.0.0.5 20003
Implementing this with the ASA has been doable, but painful. Mapping each external IP address back to the same port requires the use of a unique ACL per external host, even if the ACL itself is identical. I've only been able to accomplish it with a combination of traditional static mappings and ACL-based static mappings, like so:
object-group service webapp_ports tcp
port-object eq www
port-object eq https
object-group network webapp_hosts
network-object host 1.2.3.1
network-object host 1.2.3.2
network-object host 1.2.3.3
access-list policy_nat_http_site1 extended permit tcp host 10.0.0.5 eq www any
access-list policy_nat_http_site2 extended permit tcp host 10.0.0.5 eq www any
access-list policy_nat_http_site3 extended permit tcp host 10.0.0.5 eq www any
access-list acl_outside extended permit tcp any object-group webapp_hosts object-group webapp_ports
static (inside,outside) tcp 1.2.3.1 www access-list policy_nat_http_site1
static (inside,outside) tcp 1.2.3.2 www access-list policy_nat_http_site2
static (inside,outside) tcp 1.2.3.3 www access-list policy_nat_http_site3
static (inside,outside) tcp 1.2.3.1 https 10.0.0.5 20001 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.2 https 10.0.0.5 20002 netmask 255.255.255.255
static (inside,outside) tcp 1.2.3.3 https 10.0.0.5 20003 netmask 255.255.255.255
access-group acl_outside in interface outside
While this works, I'm unhappy with the setup because it requires far too much fiddling every time I need to add a new customer - adding the new IP to the object-group, a brand new access-list, and two more entries to the static mappings. Is there a better way to handle this? I'm in control of the entire network stack, so changes in the network design are also possible if that's the most appropriate thing to change.
