I want anyone able to get an IP address from the corporate network, that does not have the Proxy client on the machine, to go via the Proxy web site when using www or https.
I have a router facing the ISP and the firewall behind the router providing LAN connectivity through various subinterfaces.
In the ASA 5515 (Cisco Adaptive Security Appliance Software Version 9.8(2), I want to nat all www and https traffic generated from any LAN subinterface to use ports 8081 and 8443 respectively. For that I created the following objects:
hostname(config)# object service http-original
hostname(config-service-object)# service tcp source range 1 65535 destination eq www
hostname(config-service-object)# description http-original
hostname(config)# object service http-redirect
hostname(config-service-object)# service tcp source range 1 65535 destination eq 8081
hostname(config-service-object)# description http-redirect
hostname(config)# object service https-original
hostname(config-service-object)# service tcp source range 1 65535 destination eq https
hostname(config)#object service https-redirect
hostname(config-service-object)# service tcp source range 1 65535 destination eq 8443
I do not want to nat the destination because there is a default route in the firewall pointing to the router. At the router end, I believe I can use Policy Based Routing to send traffic going to these two ports to the correct address on the Internet. I have not even tried that because I need to pass this first stage.
I know this is not the best approach but while we implement 802.x and use certificates and a Radius server for authentication, this is all I have.
So, can anyone shed some light on how I can possibly nat any source address to outside interface of the firewall but not nat the destination, because this could be any web server on the Internet. At the same time, if this traffic was www or https on any tcp port possible, to nat the service www to port 98081 and https to port 8443. Diagram attached.
Or if anyone suggest a better way to achieve this, I will greatly appreciate it.
Routing (including PBR) is not suitable for sending (redirecting) traffic to the proxy because the next hop (ISP router) will not consider the port-based rule, just routes the packet by the destination address. You should read the proxy manual about how the proxy expects the traffic (e. g. as an explicit proxy or via WCCP).