Solved: Accessing inside service from outside via 5505

Lemon Lime · ‎02-27-2014

Hello,

I feel that this should be straight forward but I am having a lot of trouble getting this to work.

I am using v8.2 (security plus license) and have an ASA which does the standard allow internal access outside but I also have an additional network which is accessed with AnyConnect client.

I now have another requirement to place a web service so it is publically accessible. I only have 1 available IP address which is the outside IP of my ASA (I cannot get anymore). I though I could achieve this with port forwarding so if I chose to go to my IP with a :portnumber I could forward that traffic to my internal server. Is this correct.

Example:

Outside World ------------- Outside ASA / Inside ASA --------------------- Web Server

0.0.0.0 1.1.1.1 192.168.1.1 192.168.1.2

What I would like to do is enter the outside IP of my ASA into a browser with a random port and that redirects to my internal server (e.g. http://1.1.1.1:55000 redirects to https://192.168.1.2

Additional Criteria

1. I must not affect current services including my VPN connections

2. I may have additional web servers in future which will have to also use same outside IP address.

Can this be done and if so, how?

Harvey Ortiz · ‎02-27-2014

Hi Simon,

If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:

static (inside,outside) tcp interface 55000 192.168.1.2 443

So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.

Also remember to add the access list:

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000

If you have another web server behind the inside you can the same public IP address but different random port:

static (inside,outside) tcp interface 56000 192.168.1.3 443

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000

Please rate and select a correct answer.

View solution in original post

Harvey Ortiz · ‎02-27-2014

Hi Simon,

If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:

static (inside,outside) tcp interface 55000 192.168.1.2 443

So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.

Also remember to add the access list:

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000

If you have another web server behind the inside you can the same public IP address but different random port:

static (inside,outside) tcp interface 56000 192.168.1.3 443

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000

Please rate and select a correct answer.

Lemon Lime · ‎02-28-2014

Thank you for your response. I'm going to rate your answer as correct but there was a line you were missing that I believe was the initial problem all along.

What I had forgotten was to apply the access list to the outside interface:

access-group outside_access in interface outside

Once I did this it worked!!

PS: Anyone in future looking at this - You will also need to ensure your http server enable is on a separate port using command

http server enable port-number