topic Thanks Tim - let me give this in Network Security

Cisco ASA - How to configure two IIS server routing with 1 IP address?

alafever1 — Tue, 12 Mar 2019 07:44:28 GMT

Hello Community,

I've in a bit of a bind here. I am trying to release a QA server into our environment for a client. We currently have a Web server already configured and working in the DMZ. I've added the QA server into the DMZ as well. The problem comes in because I only have one Public IP address I can use and I do not have the ability to add more to this network.

I would like to setup the ASA to forward traffic received over a specific port to this QA server as opposed to the other Web server. I am OK with having a www.urlhere.com:portnumber type URL. I've tried a couple of configurations but have not been able to get the URL to actually reach the QA server on the port I specify.

I've added Access Rules and NAT rules with no success. Can anyone give me an outline of what might be required for this setup?

1 Public IP

2 servers in DMZ with IIS

Thank you!

Hi,

Tim Y — Thu, 12 May 2016 13:08:39 GMT

Hi,

Here is an example for you. In this example URL:1234 is used to NAT to the the QA server on port 80.

object service web
service tcp destination eq 80
!
object service qa_iis_web
service tcp destination eq 1234
!
object network qa_server
host 192.168.1.2
!
access-list outside_acl line 1 extended permit object qa_iis_web any object qa_server
!
nat (outside,dmz) source static any any destination static interface qa_server service qa_iis_web web unidirectional

Hope this helps!

Regards,

Tim

Thanks Tim - let me give this

alafever1 — Thu, 12 May 2016 13:08:40 GMT

Thanks Tim - let me give this a try!

Would I need to change this

alafever1 — Thu, 12 May 2016 17:28:28 GMT

Would I need to change this last line to be nat(outside,dmz)? The server doesn't reside on the inside network.

nat (outside,dmz) source static any any destination static interface qa_server service web qa_iis_web unidirectional

Thank you!

Hi there,

Tim Y — Thu, 12 May 2016 17:30:29 GMT

Hi there,

Yes that is correct. If the server resides in the DMZ, then you must use (outside,dmz). Let me know how it goes.

Regards,

Tim

Please don't forget to rate useful posts and mark answers as correct.

Cool - I'm waiting for a good

alafever1 — Thu, 12 May 2016 17:50:31 GMT

Cool - I'm waiting for a good time to run the command. I'll let you know how it goes.

Thanks for the quick reply 🙂

Command has been ran. I

alafever1 — Thu, 12 May 2016 19:22:13 GMT

Command has been ran. I still don't seem to be able to access the site using https://url.domain.com:55100

Still poking around...

object service web
service tcp destination eq 443
!
object service QA-SERVER-TCP55100
service tcp destination eq 55100
!
object network QA-SERVER
host 10.1.10.XX
!
access-list outside_acl line 1 extended permit object QA-SERVER-TCP55100 any object QA-SERVER
!
nat (outside,dmz) source static any any destination static interface QA-SERVER service web QA-SERVER-TCP55100 unidirectional

Hi,

Tim Y — Thu, 12 May 2016 19:26:20 GMT

Hi,

Sorry, reverse the service order.

nat (outside,dmz) source static any any destination static interface QA-SERVER service QA-SERVER-TCP55100 web unidirectional

If it still doesn't work, please show me the output of:

- show run nat

- show xlate | i 10.1.10.XX

- show access-list outside_acl | i 10.1.10.XX

Attached!

alafever1 — Thu, 12 May 2016 19:46:43 GMT

Attached!

Perhaps the service "web"

alafever1 — Thu, 12 May 2016 19:57:31 GMT

Perhaps the service "web" should be a new service specifically to the 55100 port. That appears to be pointed to 443.

I think that did it!!!

alafever1 — Thu, 12 May 2016 19:58:43 GMT

I think that did it!!!

Hi,

Tim Y — Thu, 12 May 2016 20:00:47 GMT

Hi,

Please remove the rule and re-add it at the top of the list:

nat (outside,dmz) 1 source static any any destination static interface QA-SERVER service QA-SERVER-TCP55100 web unidirectional

I believe this is the problem. After, please test again. Ensure you are testing from an external internet connection and not from something on the inside/dmz of the firewall. If it is still not working:

Let me know if the hits on the firewall are incrementing. If yes,

Connect to the QA IIS from the inside using the inside IP on port 443. Does it work? If yes,

We'll have to start a packet capture to see if the packets are getting dropped and the drop reason

Regards,

Tim

Ah ok. I thought you wanted

Tim Y — Thu, 12 May 2016 20:10:31 GMT

Ah ok. I thought you wanted 443 and not 80. Good stuff! If you hadn't figured it out, the below troubleshooting question would have caught it:

Connect to the QA IIS from the inside using the inside IP on port 443. Does it work?

That would have failed since you wanted 80 all along, and then we'd realize it then too. Happy you have it working!

Regards,

Tim

I ended up using a completely

alafever1 — Thu, 12 May 2016 20:10:32 GMT

I ended up using a completely nonstandard port of 55100. 🙂

Now I have to do something similar to get RDP to go specifically to a port on that server. I've changed the RDP listening port on the server...I think I can use the same set of rules we just did for the web service to make this RDP work.

You've given me the groundwork I need to get this going I think. Thanks so much for your time and energy.

You're welcome. Just do the

Tim Y — Thu, 12 May 2016 20:20:53 GMT

You're welcome. Just do the exact same thing for RDP.

If the port is 51000, when you're connecting via RDP from the internet, use:

70.89.XX.XX:51000

Good luck!

Regards,

Tim

Tim - External has been

alafever1 — Fri, 13 May 2016 19:01:16 GMT

Nevermind! 🙂