Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: A design idea/ can this be done

A design idea/ can this be done 11 years 1 month ago #25644

Ok I've come across design idea I would like to try and implement, but the more I look into it the more I beleive it may not be possible. Here is the basic plan.

I have one publicly available static IP address connected to a firewall/router which has two servers(server1 & server2) behind it with static private IP addresses assigned.

These two servers are hosting "like" services. What I mean by that is that both of these servers have a web server, ftp server, mail server, etc. running on them using standard ports.

What I would like to do is this. At my domain's registrar I want to create two subdomains, lets say and, and have them both pointing to this publicly available static IP address. When a request is made for a service that is hosted on the request would successfully be directed to the server1 on my private network and when a request for a service on it would be directed to server2 on my private network. The requested service from each of these machines could be anything; http, ftp, smtp, etc. So my question is, how can I accomplish this or is it even possible?

Let me clear a few things out of the way. I've tried just simple port forwarding and I know that it doesn't work, atleast with the network hardware I have available. To my knowledge you can't forward the same port to two different internal IP addresses. Before you suggest that I use just one server instead of two, for reasons beyond my control this really isn't possible. I have used Apache's mod_proxy and virtual hosts to redirect HTTP requests to different servers based on DNS name and that works fine but it really doesn't help when it comes to handling other services such as FTP and mail.

So I'm here for any help that any of you can give me. If you need me to clarify any particular point I'll try my best to do so.

Thanks in advance

Re: A design idea/ can this be done 11 years 1 month ago #25647

Unfortunately, no, this isn't doable without some sort of middle man to separate the requests. Apache with mod_proxy works because HTTP uses a Host: line in the header to specify the canonical name of the server, in addition to its address in the IP header. As you say, FTP and other protocols don't provide this luxury.

It may be possible to assign state from DNS queries if you control your own DNS server, but I have no experience with this and to be honest isn't an ideal solution.

It seems like the most appropriate solution would be to obtain multiple public IP's from your provider.

Re: A design idea/ can this be done 11 years 1 month ago #25648

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1390
  • Karma: 1
  • Thank you received: 0
The web request one is easy as you have said. FTP i am struggling with unless you can also do the redirect based on FQDN similar to HTTP (not sure if you can myself, i would have used ISA Server to do it and i don't currently have access to one to test, my build one at some point, depends if i get a min).

SMTP is simple if you introduce a SMTP Gateway device that will then forward the e-mails to server 1/2 repectively. This is quite common to do your gateway scanning on a server and then forward it which ever server you need to. Alternatively, forward all e-mails to Server 1 and then get that server to send to Server 2 based on the FQDN.

Sorry its probably not much help.


Wayne Murphy Team Member

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit or PM me for details.

Re: A design idea/ can this be done 11 years 1 month ago #25658

Thanks for the responses. The more I thought about it the more I realized that this was probably something that wasn't easily do-able without middle-man devices. But before, just thinking it over myself, I thought it would be rather useful if I could do it this way, but as you guys have helped me realize its probably not the best way to do it.

If anybody else has any suggestions or would like to add anything I'm open for input.

And Smurf you are talking about Microsoft ISA Server correct? If you are, I think I have an available license I might look into building one myself.
  • Page:
  • 1
Time to create page: 0.112 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup