02-27-2014 01:30 PM - last edited on 03-25-2019 05:53 PM by ciscomoderator
Hello,
I feel that this should be straight forward but I am having a lot of trouble getting this to work.
I am using v8.2 (security plus license) and have an ASA which does the standard allow internal access outside but I also have an additional network which is accessed with AnyConnect client.
I now have another requirement to place a web service so it is publically accessible. I only have 1 available IP address which is the outside IP of my ASA (I cannot get anymore). I though I could achieve this with port forwarding so if I chose to go to my IP with a :portnumber I could forward that traffic to my internal server. Is this correct.
Example:
Outside World ------------- Outside ASA / Inside ASA --------------------- Web Server
0.0.0.0 1.1.1.1 192.168.1.1 192.168.1.2
What I would like to do is enter the outside IP of my ASA into a browser with a random port and that redirects to my internal server (e.g. http://1.1.1.1:55000 redirects to https://192.168.1.2
Additional Criteria
1. I must not affect current services including my VPN connections
2. I may have additional web servers in future which will have to also use same outside IP address.
Can this be done and if so, how?
Solved! Go to Solution.
02-27-2014 07:07 PM
Hi Simon,
If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:
static (inside,outside) tcp interface 55000 192.168.1.2 443
So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.
Also remember to add the access list:
access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000
If you have another web server behind the inside you can the same public IP address but different random port:
static (inside,outside) tcp interface 56000 192.168.1.3 443
access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000
Please rate and select a correct answer.
02-27-2014 07:07 PM
Hi Simon,
If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:
static (inside,outside) tcp interface 55000 192.168.1.2 443
So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.
Also remember to add the access list:
access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000
If you have another web server behind the inside you can the same public IP address but different random port:
static (inside,outside) tcp interface 56000 192.168.1.3 443
access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000
Please rate and select a correct answer.
02-28-2014 07:25 PM
Thank you for your response. I'm going to rate your answer as correct but there was a line you were missing that I believe was the initial problem all along.
What I had forgotten was to apply the access list to the outside interface:
access-group outside_access in interface outside
Once I did this it worked!!
PS: Anyone in future looking at this - You will also need to ensure your http server enable is on a separate port using command
http server enable port-number
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide