Fowarding Inside Traffic

Unanswered Question
Jun 12th, 2008
User Badges:

Hi all,

I have an ASA 5540 and I would like to forward all HTTP traffic comming from LAN to my Proxy server on DMZ. This Proxy will filter the content and send the traffic back to ASA and ASA must forward to INTERNET (please check the attachment).

What should be the configuration on ASA to do this?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 06/12/2008 - 12:56
User Badges:
  • Red, 2250 points or more

Assuming LAN = /24


Outside =


access-list inside-in permit icmp any

! you can be more specific with ICMP types

access-list inside-in permit tcp host eq 8080

access-list inside-in deny ip any log

Please note if your PROXY is MS ISA, then you cannot run Secure NAT mode with one interface, you can only run Cache or Web Proxy mode I think.

access-list dmz-in permit ip host any

! This can be made more secure by permitting

! only wanted protocols like http,https,ftp etc.

nat (dmz) 1

global (outside) 1 interface

! Static One to One NAT might be a better

! option, to keep 'no nat-control' active

I'm sure this has a lot of mistakes, its just a template.



Tauer Drumond Thu, 06/12/2008 - 18:33
User Badges:

Hi Farrukh,

Should I apply some port redirection?

All traffic on interface LAN to INTERNET on port 80 (HTTP) I do a port forward to PROXY on port 8080...

And all traffic on port 80 came from PROXY, I nat to outside interface.

Is that allright?

Farrukh Haroon Sat, 06/14/2008 - 01:50
User Badges:
  • Red, 2250 points or more

The solution I proposed to you seems more simpler, but this is just my opinion.

You can also use the port-redirection method. However you would need a redirection for each service you want LAN users to access, like FTP, HTTPS etc.



ray_stone Sat, 06/14/2008 - 10:53
User Badges:

Hi, Set the client machines gateway IP of Proxy Server and the gateway of proxy server must be used ASA FW IP. As per my opinion, this is one of the simple and very good way. All please give your feedback in this regard.

nomair_83 Sun, 06/15/2008 - 04:36
User Badges:
  • Bronze, 100 points or more


Yup I'll go with ray.

but I'll try all three methods.


Tauer Drumond Tue, 06/17/2008 - 05:20
User Badges:


what should be the line configuration to all HTTP traffic coming from LAN and redirect to the PROXY on DMZ?



This Discussion