Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

169
Views
0
Helpful
2
Replies
Highlighted
Lemon Lime
Beginner
Beginner
‎02-27-2014 01:30 PM
‎02-27-2014 01:30 PM

Accessing inside service from outside via 5505

Hello,

I feel that this should be straight forward but I am having a lot of trouble getting this to work.

I am using v8.2 (security plus license) and have an ASA which does the standard allow internal access outside but I also have an additional network which is accessed with AnyConnect client.

I now have another requirement to place a web service so it is publically accessible.  I only have 1 available IP address which is the outside IP of my ASA (I cannot get anymore).  I though I could achieve this with port forwarding so if I chose to go to my IP with a :portnumber I could forward that traffic to my internal server.  Is this correct.

Example:

Outside World  ------------- Outside ASA / Inside ASA --------------------- Web Server

0.0.0.0                            1.1.1.1           192.168.1.1                       192.168.1.2

What I would like to do is enter the outside IP of my ASA into a browser with a random port and that redirects to my internal server (e.g. http://1.1.1.1:55000 redirects to https://192.168.1.2

Additional Criteria

1.  I must not affect current services including my VPN connections

2.  I may have additional web servers in future which will have to also use same outside IP address.

Can this be done and if so, how?

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Harvey Ortiz
Beginner
Beginner
‎02-27-2014 07:07 PM
‎02-27-2014 07:07 PM

Accessing inside service from outside via 5505

Hi Simon,

If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:

static (inside,outside) tcp interface 55000 192.168.1.2 443

So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.

Also remember to add the access list:

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000

If you have another web server behind the inside you can the same public IP address but different random port:

static (inside,outside) tcp interface 56000 192.168.1.3 443

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000

Please rate and select a correct answer.

View solution in original post

0 Helpful
Reply
2 REPLIES 2
Highlighted
Harvey Ortiz
Beginner
Beginner
‎02-27-2014 07:07 PM
‎02-27-2014 07:07 PM

Accessing inside service from outside via 5505

Hi Simon,

If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:

static (inside,outside) tcp interface 55000 192.168.1.2 443

So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.

Also remember to add the access list:

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000

If you have another web server behind the inside you can the same public IP address but different random port:

static (inside,outside) tcp interface 56000 192.168.1.3 443

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000

Please rate and select a correct answer.

View solution in original post

0 Helpful
Reply
Highlighted
Lemon Lime
Beginner
Beginner
‎02-28-2014 07:25 PM
‎02-28-2014 07:25 PM

Accessing inside service from outside via 5505

Thank you for your response. I'm going to rate your answer as correct but there was a line you were missing that I believe was the initial problem all along.

What I had forgotten was to apply the access list to the outside interface:

access-group outside_access in interface outside

Once I did this it worked!!

PS:  Anyone in future looking at this - You will also need to ensure your http server enable is on a separate port using command

http server enable port-number

0 Helpful
Reply
Latest Contents
How to: Cisco Identity Services Engine TC-NAC Integration wi...
Created by pavagupt on 05-30-2020 02:05 AM
0
0
0
0
IntroductionComponentsISE ConfigurationEnd user perspective and Validation   Introduction             Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through int... view more
How to Integrate Cisco Identity Services Engine with IBM Maa...
Created by pavagupt on 05-29-2020 12:45 AM
0
10
0
10
IntroductionComponentsISE ConfigurationEnd user perspective and Validation   Introduction Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. ISE supports external MDM ... view more
AMP4E - Cisco Threat Response and ESA Integration
Created by bremarqu on 05-27-2020 09:16 AM
0
0
0
0
Hello, This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.   This is live on the portal:https://video.cisco.com/video/6159336218001   And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg   ... view more
Migrate from C170 to C190
Created by fhk_license on 05-26-2020 02:24 AM
3
0
3
0
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?
DGTL-BRKSEC-1011 - A Challenger Appears: Defending Mailboxes...
Created by chclasen on 05-20-2020 09:43 AM
0
0
0
0
This AMA will serve as the Q&A for the Cisco Live Digital breakout DGTL-BRKSEC-1011 - "A Challenger Appears: Defending Mailboxes in the Cloud" which covers a brand new product which will be announced during the event: Cloud Mailbox Defense. Join Techn... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad