cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

170
Views
0
Helpful
2
Replies
Highlighted
Beginner

Accessing inside service from outside via 5505

Hello,

I feel that this should be straight forward but I am having a lot of trouble getting this to work.

I am using v8.2 (security plus license) and have an ASA which does the standard allow internal access outside but I also have an additional network which is accessed with AnyConnect client.

I now have another requirement to place a web service so it is publically accessible.  I only have 1 available IP address which is the outside IP of my ASA (I cannot get anymore).  I though I could achieve this with port forwarding so if I chose to go to my IP with a :portnumber I could forward that traffic to my internal server.  Is this correct.

Example:

Outside World  ------------- Outside ASA / Inside ASA --------------------- Web Server

0.0.0.0                            1.1.1.1           192.168.1.1                       192.168.1.2

What I would like to do is enter the outside IP of my ASA into a browser with a random port and that redirects to my internal server (e.g. http://1.1.1.1:55000 redirects to https://192.168.1.2

Additional Criteria

1.  I must not affect current services including my VPN connections

2.  I may have additional web servers in future which will have to also use same outside IP address.

Can this be done and if so, how?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Accessing inside service from outside via 5505

Hi Simon,

If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:

static (inside,outside) tcp interface 55000 192.168.1.2 443

So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.

Also remember to add the access list:

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000

If you have another web server behind the inside you can the same public IP address but different random port:

static (inside,outside) tcp interface 56000 192.168.1.3 443

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000

Please rate and select a correct answer.

View solution in original post

2 REPLIES 2
Highlighted
Beginner

Accessing inside service from outside via 5505

Hi Simon,

If you need to setup port forwarding on ASA runnin 8.2, the configuration will look like this:

static (inside,outside) tcp interface 55000 192.168.1.2 443

So traffic coming from the Internet will reach the external IP 1.1.1.1:55000 and the ASA will send the traffic to internal web server on tcp port 443.

Also remember to add the access list:

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 55000

If you have another web server behind the inside you can the same public IP address but different random port:

static (inside,outside) tcp interface 56000 192.168.1.3 443

access-list outside_access line 1 extended permit tcp any host 1.1.1.1 eq 56000

Please rate and select a correct answer.

View solution in original post

Highlighted
Beginner

Accessing inside service from outside via 5505

Thank you for your response. I'm going to rate your answer as correct but there was a line you were missing that I believe was the initial problem all along.

What I had forgotten was to apply the access list to the outside interface:

access-group outside_access in interface outside

Once I did this it worked!!

PS:  Anyone in future looking at this - You will also need to ensure your http server enable is on a separate port using command

http server enable port-number