topic Redirecting all IP to a services on a different host in Network Security

Redirecting all IP to a services on a different host

davcommunay — Mon, 11 Mar 2019 21:36:58 GMT

Dear All,

Suppose I want to redirect all connections from INSIDE(10.0.0.0/24) to OUTSIDE(any) on tcp port 80 to a server 172.2.2.2 in DMZ on port 3128, note that this port is not important as Linux can receive connexion on port 80 and redirect them to 3128 easily...

It is called transparent proxy i know this can be done with WCCP commands, BUT i d like to know if ASA was able to redirect destination connections this way.

This can also be very useful, imagine one of your MYSQL server is not accessible and you want to redirect all the connections to another server through the firewall without client re-configuration... (this is a good example as wccp won't be acceptable)

Please let me know...

Best regards,

David

Redirecting all IP to a services on a different host

lance_brown — Thu, 13 Oct 2011 19:56:06 GMT

You could do that as you can create a NAT to look at the source and destination IP's as well as the service, you can either then change none, one, two or all three of those in the NAT rule.

A better solution, use DNS. All of the clients should be pointed towards a name and not an IP. Then if the server fails, you update the DNS record and all of the clients will continue to work.

Redirecting all IP to a services on a different host

davcommunay — Sat, 15 Oct 2011 11:26:42 GMT

Hi,

I trust you when you say it is possible

But i would ike to know how ??? a practical example of a nat rule of that kind...

Otherwise i am agree that using DNS for this is better but i am more interested by the technical aspect of that NAT rules in ASA as it is so easy to do with iptables ...

Please let me know if you have the solution.

Best regards

Redirecting all IP to a services on a different host

Julio Carvajal — Sat, 15 Oct 2011 23:17:44 GMT

Hello David,

What version of IOS are you running??

Regards,

Julio

Redirecting all IP to a services on a different host

lance_brown — Tue, 18 Oct 2011 14:32:37 GMT

nat (Inside, Outside) 1 source static 10.0.0.0 [ip address to NAT source address to] destination static [ip address/subnet of destination] 172.2.2.2 service HTTP HTTP no-proxy-arp

If you want truly any service rather than just HTTP as the original service, then it would look like this:

nat (Inside, Outside) 1 source static 10.0.0.0 (ip address to NAT source address to) destination static (ip address/subnet of destination) 172.2.2.2 service any HTTP no-proxy-arp

Now while you are not going to ANY address as the original [the first set of brackets], you are able to do a subnet. Since you said you wanted to do this so you didn't have to change client settings, then you obviously know what the address being used is. Oh, the 1 after the "nat (Inside, Outside)" is the position of the NAT rule, so in your case, it may not be 1.

Redirecting all IP to a services on a different host

davcommunay — Mon, 24 Oct 2011 10:27:52 GMT

Thank you for this i will try

Redirecting all IP to a services on a different host

davcommunay — Mon, 24 Oct 2011 11:42:29 GMT

Unfortunately, this does not work at all

# show version

Cisco Adaptive Security Appliance Software Version 8.3(1)

Device Manager Version 6.3(1)

These commands where not sucessfull, and even if i try to modify them at least 12 times).

So what i tried to do at first was redirecting all connections coming from my_computer to an IP called website going to port 80 being redirected to database on port mysql. OUF!

It looks like this

nat (inside,any) source static my_computer my_computer destination static website database service http mysql

now if i try a telnet on the website on port 80 i should be redirected to database:3306 ?

telnet THE.IP.OF.WEBSITE 80

Trying THE.IP.OF.WEBSITE...

And nothing more...

If i check the logs during this time i can see:

"Bult outbound TCP connection 321212121 for outside:database_ip/3306 (website_ip/80) to inside:my_computer/50087 (mycomputer/50087)"

now i am COMPLETELY lost

1) Database IP is on INSIDE interface

2) website_IP is OUTSIDE (on the internet)

I am just trying to do DNAT but i can't figure out to find the solution..

Please help

Re: Redirecting all IP to a services on a different host

lance_brown — Mon, 24 Oct 2011 17:06:13 GMT

You have three options.

1) Use packet-tracer and see why it fails or if it does really pass.

2) Create the NAT using ASDM and let it figure out the syntax for you.

3) Use DNS as this is what it was designed for.