I need some help or sugestions about the following configuration.
I was trying to replace an Microsoft ISA Firewall with an ASA 5520.
I've attached the schema (ASAredirect.jpg) and the ASA configuration (asa.txt).
The ISA server had the outside interface working as PAT interface with some blacklist URL filtering.
In this firewall we found configured some ports redirections to inside servers:
ISA interface IP address: 9999 -> 126.96.36.199:3389
ISA interface IP address: 9998 -> 188.8.131.52:3389
ISA interface IP address: 9997 -> 184.108.40.206:3389
ISA interface IP address: 9996 -> 220.127.116.11:3389
www.mycase.com/progs -> 18.104.22.168:80
I could configure the ASA Firewall to replace the ISA server:
- configure some URL filters using regex.
- configure the nat and global commands.
- configure the static command to redirect ports:
static (inside,outside) tcp interface 9999 22.214.171.124 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9997 126.96.36.199 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9998 188.8.131.52 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9996 184.108.40.206 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 220.127.116.11 www netmask 255.255.255.255
But, we have an special problem with the last redirect instruction.
The web page www.mycase.com is in a host outside. When you try www.mycase.com/progs this redirects to a web server inside the ASA (see the graphic). If you are outside (Internet) you can get access to www.mycase.com and www.mycase.com/progs. If you try to get access to www.mycase.com from inside works fine, but when try to get access to www.mycase.com/progs won't work. The inside station can't access www.mycase.com/progs.
After this I tried to ping from inside stations to outside ASA interface, but it's not working. I modified the access rules, static and nat-control configuration but I can't get access to the outside interface neither www.mycase.com/progs.
Please, your help in this.
If you have any sugestion related to URL filtering I'll appreciate.