cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


178
Views
0
Helpful
3
Replies
Beginner

nat source and service but not destination address

Hi,

I want anyone able to get an IP address from the corporate network, that does not have the Proxy client on the machine, to go via the Proxy web site when using www or https.

 

I have a router facing the ISP and the firewall behind the router providing LAN connectivity through various subinterfaces.

In the ASA 5515 (Cisco Adaptive Security Appliance Software Version 9.8(2), I want to nat all www and https traffic generated from any LAN subinterface to use ports 8081 and 8443 respectively. For that I created the following objects:

hostname(config)# object service http-original
hostname(config-service-object)# service tcp source range 1 65535 destination eq www
hostname(config-service-object)# description http-original
hostname(config)# object service http-redirect
hostname(config-service-object)# service tcp source range 1 65535 destination eq 8081
hostname(config-service-object)# description http-redirect
hostname(config)# object service https-original
hostname(config-service-object)# service tcp source range 1 65535 destination eq https
hostname(config)#object service https-redirect
hostname(config-service-object)# service tcp source range 1 65535 destination eq 8443

 

I do not want to nat the destination because there is a default route in the firewall pointing to the router. At the router end, I believe I can use Policy Based Routing to send traffic going to these two ports to the correct address on the Internet. I have not even tried that because I need to pass this first stage.

 

I know this is not the best approach but while we implement 802.x and use certificates and a Radius server for authentication, this is all I have.

 

So, can anyone shed some light on how I can possibly nat any source address to outside interface of the firewall but not nat the destination, because this could be any web server on the Internet. At the same time, if this traffic was www or https on any tcp port possible, to nat the service www to port 98081 and https to port 8443. Diagram attached.

 

Or if anyone suggest a better way to achieve this, I will greatly appreciate it.

 

3 REPLIES 3
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: nat source and service but not destination address

Hi,
Does the internet/cloud based proxy server support WCCP? If so you could configure WCCP on the ASA and redirect internet traffic to the proxy that way.

HTH
Beginner

Re: nat source and service but not destination address

Not sure RJI but will ask.

 

Thank you for the suggestion. I was not aware of that option.

Highlighted
Contributor

Re: nat source and service but not destination address

Routing (including PBR) is not suitable for sending (redirecting) traffic to the proxy because the next hop (ISP router) will not consider the port-based rule, just routes the packet by the destination address. You should read the proxy manual about how the proxy expects the traffic (e. g. as an explicit proxy or via WCCP).