Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
5
Replies

Two web servers

Go to solution
geraldo.nascimento
Level 1
Level 1

‎02-09-2009 08:40 AM - edited ‎03-09-2019 10:01 PM

Hello all.

We have an ASA5510 and we need to configure it to allow the following scenario:

We already have acls and nat configured on ASA to provide access on our first web server (OUTSIDE => DMZ). It is working fine.

Now, we have a web application that will be executed in another web server (placed in the same DMZ that the first web server) and we don't know what is necessary to configure ASA.

We have an IIS server installed on our first web server with our web page www.example.com. We will define a new virtual directory www.exmaple.com/application to execute the new web application on the second web server.

On IIS new virtual directory we are using “Redirect to URL” option, pointing to valid IP reserved to our second web server (new).???

We already have configured on ASA an Inside network 192.168.1.0/24, a DMZ 10.0.0.0/24 and an Outside obviously.

Could you please help us with the ASA configuration for web access on this second web server?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cdusio
Level 4
Level 4
In response to geraldo.nascimento

‎02-09-2009 11:36 AM

OK here's the rub. You cannot NAT to the same front end address to the back end address unless you do Port address mapping. Even then, you are restricted to ports on the outside mapping to different ports on the inside I.E.

port 80 outside maps to 8080 on the DMZ and port 8000 maps to port 8000 on the DMZ.

So technically, you could nat to the same address if you just are going to and from different ports.

So outside port 80 maps to inside 8000

redirect to outside address on port 8080,

that can be mapped to the same address on 8080 to the same DMZ host.

-C

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cdusio
Level 4
Level 4

‎02-09-2009 10:39 AM

Sounds like you just need a nat for the second address of WS2 and to open up those ports inbound to the DMZ

0 Helpful

Go to solution
geraldo.nascimento
Level 1
Level 1
In response to cdusio

‎02-09-2009 11:30 AM

1. Would be necessary we have a second valid IP on this scenario for WS2?? or can we use the same valid IP used on the WS1 and use a Dynamic nat for two ip address of DMZ??

0 Helpful

Go to solution
cdusio
Level 4
Level 4
In response to geraldo.nascimento

‎02-09-2009 11:36 AM

OK here's the rub. You cannot NAT to the same front end address to the back end address unless you do Port address mapping. Even then, you are restricted to ports on the outside mapping to different ports on the inside I.E.

port 80 outside maps to 8080 on the DMZ and port 8000 maps to port 8000 on the DMZ.

So technically, you could nat to the same address if you just are going to and from different ports.

So outside port 80 maps to inside 8000

redirect to outside address on port 8080,

that can be mapped to the same address on 8080 to the same DMZ host.

-C

0 Helpful

Go to solution
geraldo.nascimento
Level 1
Level 1
In response to cdusio

‎02-10-2009 11:43 AM

Thank you so much!

Your tips are working fine.

Our WS2 is already on-line.

0 Helpful

Go to solution
cdusio
Level 4
Level 4
In response to geraldo.nascimento

‎02-10-2009 04:14 PM

Glad to hear it!!

0 Helpful
Customers Also Viewed These Support Documents