11-14-2008 06:10 AM - edited 02-21-2020 03:06 AM
Hi
I am using a ASA 5540 running version 7.2(3) and would like to pass all http and https requests coming from the inside of the ASA to an external proxy server on the internet (All request need to pass to port 8080). I've tried using static commands but can only seem to NAT on the inside source address and not the destination address. Have also tried the same using dynamic NAT but again can only NAT on the source address.
Is there a way of NATing the destination address when coming from the inside of firewall?
Alternatively, if anyone can suggest another way of diverting http requests to a proxy server on the internet that would be appreciated.
11-14-2008 07:03 AM
static (outside,inside) 195.167.17.1 195.167.17.1 netmask 255.255.255.255
Or if you want to present the external address as an internal address
static (outside,inside) 192.168.5.1 195.167.17.1 netmask 255.255.255.255
where 192.168.5.1 is your internal address.
Jon
11-14-2008 07:14 AM
All internal users come from a private address range 10.10.10.x/24 and could potentially try to access any web page on the internet, but the destination needs to be natted to a proxy server address on the internet to process the web request.
11-14-2008 07:40 AM
I do not have a pix/asa handy so i can't tell you whether this will work. You would need to test it - i have my doubts.
access-list PNAT permit tcp 10.10.10.0 255.255.255.0 any eq http
access-list PNAT permit tcp 10.10.10.0 255.255.255.0 any eq https
static (outside,inside) 195.167.17.1 access-list PNAT
Could you not do as Colin suggests and just modify the browser settings - think this would be a lot easier.
Jon
11-14-2008 08:08 AM
I've tried the above configuration and no success.
Would like to modify the browser settings, but have over 200 users and the department that rolls out our group policies for windows is having issues updating the browsers.
To get the nat changed by destination would be good.
11-14-2008 10:14 AM
You can try:
static (inside,outside) tcp public ip 8080 10.10.10.0 8080 netmask 255.255.255.0
OR
static (inside,outside) tcp
I'm wondering if the browser is going out default 80 and you have to translate out to 8080.
--John
11-17-2008 04:30 AM
I've tried this configuration and get an error message that global address overlaps with mask. Does anyone have any other suggestions?
11-17-2008 05:23 AM
Ideally I'd like to put in the following configuration:
access-list PROXY_NAT permit tcp 10.10.10.0 255.255.255.0 any eq 80
access-list PROXY_NAT permit tcp 10.10.10.0 255.255.255.0 any eq 443
static (outside,inside) access-list PROXY_NAT
Syntax-wide this isn't possible, but I hope it describes a little more clearly what I'm trying to do.
11-14-2008 07:06 AM
Could you set the browser settings for the proxy?
01-01-2010 02:00 PM
It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT), the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address).
For example, my Cisco ASA 5505 took gave no errors when I entered the following:
Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)
access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 74.125.45.105
static (inside,outside) 192.168.1.253 access-list staticPOLICYnat
The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 74.125.45.105
Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.
However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat). But I have not been able to get that to work. For example, entering the following provided me with the "global address overlaps with mask" error.
Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address)
access-list staticPOLICYnat line 1 extended permit ip any host 74.125.45.105
static (inside,outside) 192.168.1.253 access-list staticPOLICYnat
The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"
In my experience, it is, however, possible to map/translate more than one "real" IP addresses to one mapped/translated IP address using dynamic policy NAT. So for example, the following was accepted by my ASA with no errors.
Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)
access-list staticPOLICYnat line 1 extended permit tcp any host 74.125.45.105
nat (inside) 2 access-list staticPOLICYnat
global (outside) 2 192.168.1.253
If anyone knows how to translate or map multiple IP addresses to a single IP address using static policy NAT, please do share.
Best Regards,
David
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: