Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
0
Helpful
6
Replies

Fowarding Inside Traffic

Tauer Drumond
Level 1
Level 1

‎06-12-2008 12:23 PM - edited ‎03-11-2019 05:58 AM

Hi all,

I have an ASA 5540 and I would like to forward all HTTP traffic comming from LAN to my Proxy server on DMZ. This Proxy will filter the content and send the traffic back to ASA and ASA must forward to INTERNET (please check the attachment).

What should be the configuration on ASA to do this?

Thanks

Tauer

Labels:
Preview file
36 KB
0 Helpful
6 Replies 6

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-12-2008 12:56 PM

Assuming LAN = 192.168.1.0 /24

DMZ = 172.16.16.0/24

Outside = 172.17.17.0/24

PROXY SERVER = 172.16.16.16

access-list inside-in permit icmp 192.168.1.0 255.255.255.255 any

! you can be more specific with ICMP types

access-list inside-in permit tcp 192.168.1.0 255.255.255.255 host 172.16.16.16 eq 8080

access-list inside-in deny ip 192.168.1.0 255.255.255.255 any log

Please note if your PROXY is MS ISA, then you cannot run Secure NAT mode with one interface, you can only run Cache or Web Proxy mode I think.

access-list dmz-in permit ip host 172.16.16.16 any

! This can be made more secure by permitting

! only wanted protocols like http,https,ftp etc.

nat (dmz) 1 172.16.16.16 255.255.255.255

global (outside) 1 interface

! Static One to One NAT might be a better

! option, to keep 'no nat-control' active

I'm sure this has a lot of mistakes, its just a template.

Regards

Farrukh

0 Helpful

Tauer Drumond
Level 1
Level 1
In response to Farrukh Haroon

‎06-12-2008 06:33 PM

Hi Farrukh,

Should I apply some port redirection?

All traffic on interface LAN to INTERNET on port 80 (HTTP) I do a port forward to PROXY on port 8080...

And all traffic on port 80 came from PROXY, I nat to outside interface.

Is that allright?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Tauer Drumond

‎06-14-2008 01:50 AM

The solution I proposed to you seems more simpler, but this is just my opinion.

You can also use the port-redirection method. However you would need a redirection for each service you want LAN users to access, like FTP, HTTPS etc.

Regards

Farrukh

0 Helpful

ray_stone
Level 1
Level 1

‎06-14-2008 10:53 AM

Hi, Set the client machines gateway IP of Proxy Server and the gateway of proxy server must be used ASA FW IP. As per my opinion, this is one of the simple and very good way. All please give your feedback in this regard.

0 Helpful

nomair_83
Level 3
Level 3
In response to ray_stone

‎06-15-2008 04:36 AM

RAY,

Yup I'll go with ray.

but I'll try all three methods.

Regards,

0 Helpful

Tauer Drumond
Level 1
Level 1
In response to nomair_83

‎06-17-2008 05:20 AM

HI,

what should be the line configuration to all HTTP traffic coming from LAN and redirect to the PROXY on DMZ?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card