topic Re: 5520 PAT question in Network Security

5520 PAT question

BumSkull623 — Mon, 11 Mar 2019 20:03:47 GMT

in our DMZ we have a webserver. On this server we have multiple sites setup. On the ASA i have some PAT rules in place that work fine from the outside. Everyone comes in and sees the sites on port 80 or 443 just fine. How we want it.

Now the issue is that from the internal network when we go to the site since we can't get out to the outside interface and come back into the DMZ. I have DNS setup internally to point our site to the DMZ address. In doing this you end up with the port showing in the url like this. ~.com:82/

What I want is to be able to not have that port showing for both internal and VPN users. Is there a way to have another rule or something in place on the ASA to either allow traffice out to the public address or a way to have another PAT rule that works for both internal users and users comming in on VPN?

Re: 5520 PAT question

PAUL GILBERT ARIAS — Thu, 10 Mar 2011 01:12:45 GMT

the question is not very clear. What I understand is that you have a webserver on the DMZ that you access from the outside. I assume that you have only one public IP for this server and you are doing port forwarding, for example:

static (dmz,outside) tcp 80 80

static (dmz,outside) tcp 443 443

access-l outside_in permit tcp any host eq 80

access-l outside_in permit tcp any host eq 443

access-group outside_in in interface outside

And I understand that you want to access the webserver from the inside, is that right?

From the inside with a simple NAT and Global you should be able to access the dmz_ip with either HTTP or HTTPS.

Re: 5520 PAT question

BumSkull623 — Thu, 10 Mar 2011 01:51:36 GMT

Sorrry for not being very clear, if you can't tell I am not that familiar with the Cisco ASA.

I have a webserver in my DMZ. The website needs to be accessed by outside, inside and VPN. This one server hosts several sites withing IIS. I have several Public IP's, its a /27 public IP range.

Something like this:

www.mysite.com 1.1.1.1

this.mysite.com 1.1.1.2

that.mysite.com 1.1.1.3

So we have it setup like this:

The one server has one IP address on the DMZ then from the ASA its doing PAT to take the Public port 80 and routing it to the internal IP on port 82. Then IIS site 1 is set to listen on port 82, site 2 on 83 and so on.

When you go to www.mysite.com you are actually getting 192.168.0.1:82, this.mysite.com>192.168.0.1:83....

Now when I access the website fron the Inside it goes to my internal DNS and gets the DMZ ip address. Then when you go to that IP you end up seeing the port assignment in the address bar. I am using IIS URL rewrite to read the domain name passed and then direct to the correct port so you can access the site. So from the inside if I go to www.mysite.com, you end up with www.mysite.com:82

What I want to be able to do is access the site from Inside and not have the port show up.

While trying to find a way to explain this so that someone else might understand, i had a thought. I know bad right..

This is one of the PAT rules now.

static (dmz,outside) tcp 1.1.1.1 www 192.168.0.1 82 netmask 255.255.255.255

What if I do this

static (dmz,inside) tcp 1.1.1.1 www 192.168.0.1 82 netmask 255.255.255.255

I gave it a try and it seems to do the trick, after I changed my internal DNS to point www.mysite.com to 1.1.1.1 instead of 192.168.0.1

Maybe this isn't the best way and if its not, i am open any recommendations that you may have

Re: 5520 PAT question

PAUL GILBERT ARIAS — Thu, 10 Mar 2011 01:57:41 GMT

that seems to be the right sintax. It is a outside NAT with port forwarding.

If you already tried that and it worked then you did a great job.