Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
5
Replies

Problems redirecting web server through ASA

guigonza
Level 1
Level 1

‎08-10-2010 08:35 PM - edited ‎03-11-2019 11:23 AM

Hi ...

I need some help or sugestions about the following configuration.

I was trying to replace an Microsoft ISA Firewall with an ASA 5520.

I've attached the schema (ASAredirect.jpg) and the ASA configuration (asa.txt).

The ISA server had the outside interface working as PAT interface with some blacklist URL filtering.

In this firewall we found configured some ports redirections to inside servers:

ISA interface IP address: 9999 -> 1.1.0.64:3389

ISA interface IP address: 9998 -> 1.1.0.55:3389

ISA interface IP address: 9997 -> 1.1.0.35:3389

ISA interface IP address: 9996 -> 1.1.0.37:3389

www.mycase.com/progs -> 1.1.0.5:80

I could configure the ASA Firewall to replace the ISA server:

- configure some URL filters using regex.

- configure the nat and global commands.

- configure the static command to redirect ports:

static (inside,outside) tcp interface 9999 1.1.0.64 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 9997 1.1.0.55 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9998 1.1.0.35 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9996 1.1.0.37 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 1.1.0.5 www netmask 255.255.255.255

But, we have an special problem with the last redirect instruction.

The web page www.mycase.com is in a host outside. When you try www.mycase.com/progs this redirects to a web server inside the ASA (see the graphic).  If you are outside (Internet) you can get access to www.mycase.com and www.mycase.com/progs. If you try to get access to www.mycase.com from inside works fine, but when try to get access to www.mycase.com/progs won't work.  The inside station can't access www.mycase.com/progs.

After this I tried to ping from inside stations to outside ASA interface, but it's not working.  I modified the access rules, static and nat-control configuration but I can't get access to the outside interface neither www.mycase.com/progs.

Please, your help in this.

If you have any sugestion related to URL filtering I'll appreciate.

Labels:
70271-asa.txt.zip
24 KB
0 Helpful
5 Replies 5

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-10-2010 08:59 PM

Hello,

Please try the following:

If you are running code version older than 8.2:

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-10-2010 09:05 PM

Hello,

I checked your configuration again and this configuration should work:

0 Helpful

guigonza
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-10-2010 09:10 PM

No, doesn't work ...  when somebody in inside network try www.mycase.com/progs (port redirected to web server inside) doesn't get access.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to guigonza

‎08-10-2010 09:22 PM

Hello,

Can you please post the output of "show run statics", "show run nat", and "show run global" again here? Also, please remove " ip verify reverse-path interface inside" and try again.

Regards,

NT

0 Helpful

guigonza
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-11-2010 06:47 AM

Thanks for your attention ...

I removed the "ip verify reverse-path interface inside", but it didn't work.

I'm requesting the show results ... as soon as I get them I'll send ...

I was trying to ping the ASA outside interface from inside and is not possible. 

The problem is:   from the inside network is not possible to get access to ASA outside interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card