Fowarding Inside Traffic

Unanswered Question
Jun 12th, 2008

Hi all,

I have an ASA 5540 and I would like to forward all HTTP traffic comming from LAN to my Proxy server on DMZ. This Proxy will filter the content and send the traffic back to ASA and ASA must forward to INTERNET (please check the attachment).

What should be the configuration on ASA to do this?

Thanks

Tauer

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Thu, 06/12/2008 - 12:56

Assuming LAN = 192.168.1.0 /24

DMZ = 172.16.16.0/24

Outside = 172.17.17.0/24

PROXY SERVER = 172.16.16.16

access-list inside-in permit icmp 192.168.1.0 255.255.255.255 any

! you can be more specific with ICMP types

access-list inside-in permit tcp 192.168.1.0 255.255.255.255 host 172.16.16.16 eq 8080

access-list inside-in deny ip 192.168.1.0 255.255.255.255 any log

Please note if your PROXY is MS ISA, then you cannot run Secure NAT mode with one interface, you can only run Cache or Web Proxy mode I think.

access-list dmz-in permit ip host 172.16.16.16 any

! This can be made more secure by permitting

! only wanted protocols like http,https,ftp etc.

nat (dmz) 1 172.16.16.16 255.255.255.255

global (outside) 1 interface

! Static One to One NAT might be a better

! option, to keep 'no nat-control' active

I'm sure this has a lot of mistakes, its just a template.

Regards

Farrukh

Tauer Drumond Thu, 06/12/2008 - 18:33

Hi Farrukh,

Should I apply some port redirection?

All traffic on interface LAN to INTERNET on port 80 (HTTP) I do a port forward to PROXY on port 8080...

And all traffic on port 80 came from PROXY, I nat to outside interface.

Is that allright?

Farrukh Haroon Sat, 06/14/2008 - 01:50

The solution I proposed to you seems more simpler, but this is just my opinion.

You can also use the port-redirection method. However you would need a redirection for each service you want LAN users to access, like FTP, HTTPS etc.

Regards

Farrukh

ray_stone Sat, 06/14/2008 - 10:53

Hi, Set the client machines gateway IP of Proxy Server and the gateway of proxy server must be used ASA FW IP. As per my opinion, this is one of the simple and very good way. All please give your feedback in this regard.

nomair_83 Sun, 06/15/2008 - 04:36

RAY,

Yup I'll go with ray.

but I'll try all three methods.

Regards,

Tauer Drumond Tue, 06/17/2008 - 05:20

HI,

what should be the line configuration to all HTTP traffic coming from LAN and redirect to the PROXY on DMZ?

Thanks

Actions

This Discussion