×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Forward Http Traffic from to External IP on ASA 5505

Unanswered Question
Aug 1st, 2013
User Badges:

Hi,


My client have two web servers. He wants us to download app from production server on IPhone and when hit it back traffic should go to staging server. we can not change any thing in application. so when some hits application from my network it should go to 2nd webserver.


is there any thing ASA can understand that request for IP A can redirect to IP B ?



Please suggest.


Thank You.

Amardeep

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Thu, 08/01/2013 - 07:55
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I think we need clarification on the whole setup. I am not sure exactly what it is that you are trying to achieve.


A simple picture of how the network is built and how the connections should be forwarded would help to clarify if this is something that can be handled with NAT on the ASA.


- Jouni

Amardeep Kumar Thu, 08/01/2013 - 08:01
User Badges:

HI Jouni,


Thank you,


let me explain again..


I have two webserver at client end. Server A - test.com  , Server B my.test.com. Now Sitting in my network behind a asa 5505 , I want to rediect all my traffic for Server A to Server B. My application reads only test.com . So I want all the taffic for test.com should be redirected to my.test.com..



Hope you get it..



Thanks

Amardeep

Jouni Forss Thu, 08/01/2013 - 08:14
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Well I imagine that the example server test.com is resolved to some public IP address on a public DNS server and that public IP address is located on the ASA. And on the ASA that public IP address is probably in a Static NAT or Static PAT configuration for the server test.com


I am not sure if you are simply attempting to change the ASA configuration so that the public IP address would now be Staticly NATed/PATed to the other local server my.test.com?


- Jouni

Amardeep Kumar Thu, 08/01/2013 - 08:28
User Badges:

HI Jouni,


is it possible to configure any Nat rule or something else which tell my ASA that.. Every traffic from ( My Internal Network) for IP 1.1.1.1 should go to IP 2.2.2.2. Both IP are Public and at clients end. I am accessing these IP as user.


Or Suppose You are accessing an IP 1.1.1.1 from your network and all traffic should go to 2.2.2.2


Hope I am able clear it this time..



Thanks

Amardeep..

Jouni Forss Thu, 08/01/2013 - 09:44
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I think I would probably have to see the ASA configuration and/or some picture of the network setup that clearly shows the location and networks of the users and servers.


- Jouni

Amardeep Kumar Thu, 08/01/2013 - 10:00
User Badges:

Thanks Jouni,


There is nothing I have done on My ASA yet. These servers dont belong to my network.. I have dont access of these server. Only what I have to do is... When a user sitting in my network access any external website ( Any IP ) that request should be redirected to another website ot  IP..



Thanks

Amardeep

turbo_engine26 Fri, 08/02/2013 - 07:04
User Badges:

Hi,


I think this should be done at your client's premise not yours. Because both servers are not under your direct authority, your client should configure this redirecting behavior in their firewall. I believe this can be done using Static PAT on your client's firewall to translate both servers into one Public IP. Each server must listen to different port. In this case, when a host in your internal traffic initiates a connection to that one Public IP along with Server B's port, then the redirection would be successful.


For example,


Server A: 192.168.5.5 (listens to port 1234)

Server B: 192.168.5.6 (listens to port 5678)


Both servers located, let's say, in DMZ interface.


PAT Address: 200.1.1.1


static (dmz,outside) tcp 200.1.1.1 1234 192.168.5.5 1234 netmask 255.255.255.255

static (dmz,outside) tcp 200.1.1.1 5678 192.168.5.6 5678 netmask 255.255.255.255



To test it:


Hosts in your internal network try to access http://200.1.1.1:5678


Note: Both web servers must listen to these ports in the first place, so web server administrator work is involved.



Regards,

AM

Marius Gunnerud Fri, 08/02/2013 - 08:36
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Turbo brings up a good point that it is best to have this done at the client site.


However, looking away from best practice, you could use a policy NAT to get this done.  Though I have never considered doing this, I think the configuration would be something like the following:


object network iPhone-Users

subnet 192.168.1.0 255.255.255.0


object network ServerA

host 1.1.1.1


object network ServerB

host 2.2.2.1


nat (inside,outside) source dynamic iPhone-Users interface destination static ServerA ServerB

turbo_engine26 Fri, 08/02/2013 - 09:27
User Badges:

Well, i even forgot to ask the requester what is the ASA's software version.


Yes, Manual NAT (8.3 or later) in our premise is better than Static PAT in the client's premise. Good one!


Personally, i would go with Manual NAT.


Regards,

AM

Actions

This Discussion