Hello,
I feel that this should be straight forward but I am having a lot of trouble getting this to work.
I am using v8.2 (security plus license) and have an ASA which does the standard allow internal access outside but I also have an additional network which is accessed with AnyConnect client.
I now have another requirement to place a web service so it is publically accessible. I only have 1 available IP address which is the outside IP of my ASA (I cannot get anymore). I though I could achieve this with port forwarding so if I chose to go to my IP with a :portnumber I could forward that traffic to my internal server. Is this correct.
Example:
Outside World ------------- Outside ASA / Inside ASA --------------------- Web Server
0.0.0.0 1.1.1.1 192.168.1.1 192.168.1.2
What I would like to do is enter the outside IP of my ASA into a browser with a random port and that redirects to my internal server (e.g. http://1.1.1.1:55000 redirects to https://192.168.1.2
Additional Criteria
1. I must not affect current services including my VPN connections
2. I may have additional web servers in future which will have to also use same outside IP address.
Can this be done and if so, how?
Solved! Go to Solution.
Hi Simon,
If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:
static (inside,outside) tcp interface 55000 192.168.1.2 443
So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.
Also remember to add the access list:
access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000
If you have another web server behind the inside you can the same public IP address but different random port:
static (inside,outside) tcp interface 56000 192.168.1.3 443
access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000
Please rate and select a correct answer.
Hi Simon,
If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:
static (inside,outside) tcp interface 55000 192.168.1.2 443
So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.
Also remember to add the access list:
access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000
If you have another web server behind the inside you can the same public IP address but different random port:
static (inside,outside) tcp interface 56000 192.168.1.3 443
access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000
Please rate and select a correct answer.
Thank you for your response. I'm going to rate your answer as correct but there was a line you were missing that I believe was the initial problem all along.
What I had forgotten was to apply the access list to the outside interface:
access-group outside_access in interface outside
Once I did this it worked!!
PS: Anyone in future looking at this - You will also need to ensure your http server enable is on a separate port using command
http server enable port-number