Firewall Help

Unanswered Question
Dec 14th, 2009

Can someone please help me with the following Cisco ASA 5505 Firewall entry?

Basically, I want to be able to go to a browser from an external site and type, https://<externalserverip>, and from there it would be redirected from 443 to 8443 to the internal ip.

Example:

Internal Server Ouside IP (xxx.xxx.xxx.xxx)--->on port 443--->Cisco ASA Firewall--->on port 8443--->Internal Server Inside IP (x.x.x.x)

Here is what I've tried entering into the firewall, but it doesn't seem to be working.  Please help?

access-list acl_outside extended permit tcp any host <external ip> eq https

static (inside,outside) tcp <external ip> https <internal ip> 8443 netmask 255.255.255.255

I've also tried the following with no luck.  I changed 443 to 8443 on the access-list.

access-list acl_outside extended permit tcp any host <external ip> eq 8443

static (inside,outside) tcp <external ip> https <internal ip> 8443 netmask 255.255.255.255

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Conor Cunningham Mon, 12/14/2009 - 11:46

Hi,

I can't immediately pick out any flaw in your config. I can say however you don't need to have the acl with 8443 allowed. The natting will take care of that.

I have this config on my ASA 5505 doing a similar thing but for SSH.

access-list OUTSIDE_access_in extended permit tcp any any eq 2202

static (DMZ,OUTSIDE) tcp interface 2202 10.2.2.2 ssh netmask 255.255.255.255

Also, check out the packet tracer under tools in the ASDM. Really neat tool for looking at problems such as the one you described.

Cheers,

Conor

City of Ventura Mon, 12/14/2009 - 14:02

Conor,


Thank you for the reply, but I think I was able to fix the issue.  I'm just waiting for a response from our vendor to ensure it is now working.  This is going to sound dumb, but there was a typo in my entry on the access-list.  See below:

Original firewall entry:

access-list acl_outside extended permit tcp any host eq 8443

New firewall entry:

access-list acl-outside extended permit tcp any host eq 8443

Basically, I had an underscore instead of a hyphen in between acl outside.  I will let you know if this was indeed the issue.

Thanks again!

Derrick

Actions

This Discussion