12-14-2009 11:18 AM - edited 03-11-2019 09:48 AM
Can someone please help me with the following Cisco ASA 5505 Firewall entry?
Basically, I want to be able to go to a browser from an external site and type, https://<externalserverip>, and from there it would be redirected from 443 to 8443 to the internal ip.
Example:
Internal Server Ouside IP (xxx.xxx.xxx.xxx)--->on port 443--->Cisco ASA Firewall--->on port 8443--->Internal Server Inside IP (x.x.x.x)
Here is what I've tried entering into the firewall, but it doesn't seem to be working. Please help?
access-list acl_outside extended permit tcp any host <external ip> eq https
static (inside,outside) tcp <external ip> https <internal ip> 8443 netmask 255.255.255.255
I've also tried the following with no luck. I changed 443 to 8443 on the access-list.
access-list acl_outside extended permit tcp any host <external ip> eq 8443
static (inside,outside) tcp <external ip> https <internal ip> 8443 netmask 255.255.255.255
12-14-2009 11:46 AM
Hi,
I can't immediately pick out any flaw in your config. I can say however you don't need to have the acl with 8443 allowed. The natting will take care of that.
I have this config on my ASA 5505 doing a similar thing but for SSH.
access-list OUTSIDE_access_in extended permit tcp any any eq 2202
static (DMZ,OUTSIDE) tcp interface 2202 10.2.2.2 ssh netmask 255.255.255.255
Also, check out the packet tracer under tools in the ASDM. Really neat tool for looking at problems such as the one you described.
Cheers,
Conor
12-14-2009 02:02 PM
Conor,
Thank you for the reply, but I think I was able to fix the issue. I'm just waiting for a response from our vendor to ensure it is now working. This is going to sound dumb, but there was a typo in my entry on the access-list. See below:
Original firewall entry:
access-list acl_outside extended permit tcp any host
New firewall entry:
access-list acl-outside extended permit tcp any host
Basically, I had an underscore instead of a hyphen in between acl outside. I will let you know if this was indeed the issue.
Thanks again!
Derrick
12-14-2009 06:36 PM
Hi Buddy,
May be this can help,if I understand correctly.
static (inside,outside) tcp public_IP 443 internal_IP 8443 netmask 255.255.255.255
acl...
put acl on the outside interface.
THX
Keisikka
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide