cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

191
Views
0
Helpful
2
Replies
Highlighted
Beginner

Accessing inside service from outside via 5505

Hello,

I feel that this should be straight forward but I am having a lot of trouble getting this to work.

I am using v8.2 (security plus license) and have an ASA which does the standard allow internal access outside but I also have an additional network which is accessed with AnyConnect client.

I now have another requirement to place a web service so it is publically accessible.  I only have 1 available IP address which is the outside IP of my ASA (I cannot get anymore).  I though I could achieve this with port forwarding so if I chose to go to my IP with a :portnumber I could forward that traffic to my internal server.  Is this correct.

Example:

Outside World  ------------- Outside ASA / Inside ASA --------------------- Web Server

0.0.0.0                            1.1.1.1           192.168.1.1                       192.168.1.2

What I would like to do is enter the outside IP of my ASA into a browser with a random port and that redirects to my internal server (e.g. http://1.1.1.1:55000 redirects to https://192.168.1.2

Additional Criteria

1.  I must not affect current services including my VPN connections

2.  I may have additional web servers in future which will have to also use same outside IP address.

Can this be done and if so, how?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Hi Simon,

If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:

static (inside,outside) tcp interface 55000 192.168.1.2 443

So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.

Also remember to add the access list:

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000

If you have another web server behind the inside you can the same public IP address but different random port:

static (inside,outside) tcp interface 56000 192.168.1.3 443

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000

Please rate and select a correct answer.

View solution in original post

2 REPLIES 2
Highlighted
Beginner

Hi Simon,

If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:

static (inside,outside) tcp interface 55000 192.168.1.2 443

So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.

Also remember to add the access list:

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000

If you have another web server behind the inside you can the same public IP address but different random port:

static (inside,outside) tcp interface 56000 192.168.1.3 443

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000

Please rate and select a correct answer.

View solution in original post

Highlighted

Thank you for your response. I'm going to rate your answer as correct but there was a line you were missing that I believe was the initial problem all along.

What I had forgotten was to apply the access list to the outside interface:

access-group outside_access in interface outside

Once I did this it worked!!

PS:  Anyone in future looking at this - You will also need to ensure your http server enable is on a separate port using command

http server enable port-number

Content for Community-Ad