06-12-2008 12:23 PM - edited 03-11-2019 05:58 AM
Hi all,
I have an ASA 5540 and I would like to forward all HTTP traffic comming from LAN to my Proxy server on DMZ. This Proxy will filter the content and send the traffic back to ASA and ASA must forward to INTERNET (please check the attachment).
What should be the configuration on ASA to do this?
Thanks
Tauer
06-12-2008 12:56 PM
Assuming LAN = 192.168.1.0 /24
DMZ = 172.16.16.0/24
Outside = 172.17.17.0/24
PROXY SERVER = 172.16.16.16
access-list inside-in permit icmp 192.168.1.0 255.255.255.255 any
! you can be more specific with ICMP types
access-list inside-in permit tcp 192.168.1.0 255.255.255.255 host 172.16.16.16 eq 8080
access-list inside-in deny ip 192.168.1.0 255.255.255.255 any log
Please note if your PROXY is MS ISA, then you cannot run Secure NAT mode with one interface, you can only run Cache or Web Proxy mode I think.
access-list dmz-in permit ip host 172.16.16.16 any
! This can be made more secure by permitting
! only wanted protocols like http,https,ftp etc.
nat (dmz) 1 172.16.16.16 255.255.255.255
global (outside) 1 interface
! Static One to One NAT might be a better
! option, to keep 'no nat-control' active
I'm sure this has a lot of mistakes, its just a template.
Regards
Farrukh
06-12-2008 06:33 PM
Hi Farrukh,
Should I apply some port redirection?
All traffic on interface LAN to INTERNET on port 80 (HTTP) I do a port forward to PROXY on port 8080...
And all traffic on port 80 came from PROXY, I nat to outside interface.
Is that allright?
06-14-2008 01:50 AM
The solution I proposed to you seems more simpler, but this is just my opinion.
You can also use the port-redirection method. However you would need a redirection for each service you want LAN users to access, like FTP, HTTPS etc.
Regards
Farrukh
06-14-2008 10:53 AM
Hi, Set the client machines gateway IP of Proxy Server and the gateway of proxy server must be used ASA FW IP. As per my opinion, this is one of the simple and very good way. All please give your feedback in this regard.
06-15-2008 04:36 AM
RAY,
Yup I'll go with ray.
but I'll try all three methods.
Regards,
06-17-2008 05:20 AM
HI,
what should be the line configuration to all HTTP traffic coming from LAN and redirect to the PROXY on DMZ?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide