Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
0
Helpful
6
Replies

Cisco ASA rely HTTP port to HTTPS without using CNAME DNS-record

Go to solution
Vadim Semenov
Level 1
Level 1

‎06-24-2014 05:07 AM - edited ‎03-11-2019 09:22 PM

Hi all,

could anyone tell me Is it possible to configure ASA so when customer rely http://domain.com Cisco ASA rely to https://domain.com (it's similar with CName function of domain record).

P.S. resource of domain.com located behind ASA and DNS A-record rely on public ASA ip address

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎06-25-2014 03:26 AM

The ASA can not do this redirect based on URL/FQDN.  You would need to find another way of doing it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marius Gunnerud
VIP
VIP

‎06-25-2014 03:26 AM

The ASA can not do this redirect based on URL/FQDN.  You would need to find another way of doing it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Marius Gunnerud

‎06-25-2014 03:42 AM

What version ASA are you running?

If the server has both static public and private IPs you could use NAT to redirect HTTP traffic to HTTPS based on IP.

object network PUBLIC_IP
  host 1.1.1.1

object network REAL_IP
  host 2.2.2.2
  nat (inside,outside) static PUBLIC_IP http https

Keep in mind that you will also need a NAT statement that maintains https to the server.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Vadim Semenov
Level 1
Level 1
In response to Marius Gunnerud

‎06-25-2014 11:04 PM

Hello, Marius,

thank you for your reply. I understand that we should find another way of doing it.

From your example follow what server must work with http protocol and after ASA it will be already https protocol?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Vadim Semenov

‎06-25-2014 11:21 PM

In my example above, any http traffic that is destined for public IP 1.1.1.1 will be translated to the private IP of 2.2.2.2 and the port will be translated to https.

http to 1.1.1.1 -->  https to 2.2.2.2

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Vadim Semenov
Level 1
Level 1
In response to Marius Gunnerud

‎06-25-2014 11:34 PM

Ok, but it highly neccessery to force customer using https until ASA, and it not very critical what we using https inside network.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Vadim Semenov

‎06-25-2014 11:36 PM

Then you need to find a different solution...you might want to look at solutions such as clientless SSL VPN, Citrix, or similar.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card