×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Firewall Help

Unanswered Question
Dec 14th, 2009
User Badges:

Can someone please help me with the following Cisco ASA 5505 Firewall entry?


Basically, I want to be able to go to a browser from an external site and type, https://<externalserverip>, and from there it would be redirected from 443 to 8443 to the internal ip.


Example:


Internal Server Ouside IP (xxx.xxx.xxx.xxx)--->on port 443--->Cisco ASA Firewall--->on port 8443--->Internal Server Inside IP (x.x.x.x)


Here is what I've tried entering into the firewall, but it doesn't seem to be working.  Please help?


access-list acl_outside extended permit tcp any host <external ip> eq https

static (inside,outside) tcp <external ip> https <internal ip> 8443 netmask 255.255.255.255


I've also tried the following with no luck.  I changed 443 to 8443 on the access-list.


access-list acl_outside extended permit tcp any host <external ip> eq 8443

static (inside,outside) tcp <external ip> https <internal ip> 8443 netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Conor Cunningham Mon, 12/14/2009 - 11:46
User Badges:

Hi,


I can't immediately pick out any flaw in your config. I can say however you don't need to have the acl with 8443 allowed. The natting will take care of that.


I have this config on my ASA 5505 doing a similar thing but for SSH.


access-list OUTSIDE_access_in extended permit tcp any any eq 2202

static (DMZ,OUTSIDE) tcp interface 2202 10.2.2.2 ssh netmask 255.255.255.255


Also, check out the packet tracer under tools in the ASDM. Really neat tool for looking at problems such as the one you described.


Cheers,


Conor

City of Ventura Mon, 12/14/2009 - 14:02
User Badges:

Conor,


Thank you for the reply, but I think I was able to fix the issue.  I'm just waiting for a response from our vendor to ensure it is now working.  This is going to sound dumb, but there was a typo in my entry on the access-list.  See below:


Original firewall entry:


access-list acl_outside extended permit tcp any host eq 8443


New firewall entry:


access-list acl-outside extended permit tcp any host eq 8443


Basically, I had an underscore instead of a hyphen in between acl outside.  I will let you know if this was indeed the issue.


Thanks again!


Derrick

keisikka@163.com Mon, 12/14/2009 - 18:36
User Badges:

Hi Buddy,

May be this can help,if I understand correctly.


static (inside,outside) tcp public_IP 443 internal_IP 8443 netmask 255.255.255.255

acl...

put acl on the outside interface.


THX

Keisikka

Actions

This Discussion