Re: ASA V9.2(2)4 port 80 redirect to https

katheer4u · ‎09-05-2020

Hi

Windows IIS server configured behind a Cisco ASA 5512 listening on port 80 and 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall.

inside and outside interface

ASA outside interface ip 80.80.100.100

ASA inside interface ip 192.168.100.1

local server ip 192.168.100.100 (webserver) outside nated ip 80.80.100.101

thanks you

balaji.bandi · ‎09-05-2020

here is the config which PAT 80 to 443

static (inside,outside) tcp 80.80.100.100 80 192.168.100.1 443

access-list out_in permit tcp any host 80.80.100.100 eq 80
access-group out_in in interface outside

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

katheer4u · ‎09-05-2020

hi

this nat option not available in ASA V9.2(2)4

static (inside,outside) tcp 80.80.100.100 80 192.168.100.1 443

only available

+++++++++++++++

object network webser
nat (inside,outside) static 80.80.100.100 ?

dns Use the created xlate to rewrite DNS record
net-to-net Use Net to net mapping of IPv4 to IPv6 address(es)
no-proxy-arp Disable proxy ARP on the egress interface
route-lookup Perform route lookup for this rule
service Define port mapping

or

Nat (inside,outside) source static 80.80.100.100 80 ?

configure mode commands/options:
description Specify NAT rule description
destination Destination NAT parameters
dns Use the created xlate to rewrite DNS record
inactive Disable a NAT rule
no-proxy-arp Disable proxy ARP on egress interface
route-lookup Perform route lookup for this rule
service NAT service parameters
unidirectional Enable per-session NAT

Please advise me

balaji.bandi · ‎09-05-2020

I was not looked at the version, Object NAT should work as expected.

if not working can you please post complete ASA configuration to look. (sometimes your outgoing NAT Policy also need to consider).

Try simple Object NAT see if that worsk before you to PAT

object network MyServer

host 192.168.100.1

nat (inside,outside) static 80.80.100.100

Make sure you also have ACL

access-list SERVER extended permit tcp any host 192.168.100.1 eq https

access-group SERVER in interface outside

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎09-05-2020

Hi,

Try this:-

object network SERVER
 host 192.168.100.1
 nat (INSIDE,OUTSIDE) static 80.80.100.101 service tcp https www

HTH

katheer4u · ‎09-05-2020

hi

thank you for the replay

i can apply the config but . when i brows the website its not redirect to https and the web page not responding

Rob Ingram · ‎09-05-2020

Please provide the output of "show nat detail"

Run packet-tracer and provide the output, e.g

packet-tracer input outside tcp 8.8.8.8 3000 80.80.100.101 80

HTH

katheer4u · ‎09-05-2020

please see the up comments packet traced and ip 192.168.100.1 is ASA inside lan ip and web server local ip is 192.168.100.100

Rob Ingram · ‎09-05-2020

How is your ACL configured? You need to permit traffic to the real IP address and the real port (443).

katheer4u · ‎09-05-2020

Hi

Please see the logs after the ACL

3 (inside) to (outside) source static Serdotnet 80.80.100.101 service tcp https www
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.100.1/32, Translated: 80.80.100.101/32
Service - Protocol: tcp Real: https Mapped: www

++++++++++++++++++++++++++++++++++++++++++++
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Serdotnet
nat (inside,outside) static 80.80.100.101 service tcp https www
Additional Information:
NAT divert to egress interface inside
Untranslate 80.80.100.101 /80 to 192.168.100.1/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 101 in interface outside
access-list 101 extended permit tcp any host 192.168.100.1 eq https
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Serdotnet
nat (inside,outside) static 80.80.100.101 service tcp https www
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Rob Ingram · ‎09-05-2020

Packet is being dropped by implicit rule.

Take a packet capture capture ASP-DROP type asp-drop acl-drop test and then view the output show capture ASP-DROP

katheer4u · ‎09-05-2020

Good Day

Please see the attached logs

i really appreciate your help

12: 23:01:47.416284 8.8.8.8.3000 > 80.80.100.101.80: S 1459339227:1459339227(0) win 8192
13: 23:01:47.486592 94.102.49.104.53039 > 80.80.100.101.1738: S 3876038810:3876038810(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

14: 23:01:47.625700 94.102.49.104.53039 > 80.80.100.100.1727: S 140318138:140318138(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

15: 23:01:47.704950 94.102.49.104.53039 > 80.80.100.100.1899: S 2701418419:2701418419(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

16: 23:01:48.061230 94.102.49.104.53039 > 80.80.100.100.1762: S 4098711941:4098711941(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

17: 23:01:48.459494 94.102.49.104.53039 > 80.80.100.101.1763: S 3680801243:3680801243(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

18: 23:01:48.614561 94.102.49.104.53039 > 80.80.100.100.1776: S 3278502262:3278502262(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

19: 23:01:48.854386 94.102.49.104.53039 > 80.80.100.100.1804: S 1204234612:1204234612(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

20: 23:01:48.883697 94.102.49.104.53039 > 80.80.100.101.1803: S 3142025169:3142025169(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

21: 23:01:49.093333 94.102.49.104.53039 > 80.80.100.101.1782: S 2171879152:2171879152(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

22: 23:01:49.798924 94.102.49.104.53039 > 80.80.100.101.1745: S 2114722560:2114722560(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

23: 23:01:49.804661 94.102.49.104.53039 > 80.80.100.101.1839: S 4008870214:4008870214(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

24: 23:01:50.541903 94.102.49.104.53039 > 80.80.100.101.1774: S 3065770109:3065770109(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

25: 23:01:50.581909 94.102.49.104.53039 > 80.80.100.101.1773: S 336971329:336971329(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

26: 23:01:50.999795 94.102.49.104.53039 > 80.80.100.100.1773: S 1569369436:1569369436(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

Rob Ingram · ‎09-05-2020

From the output it looks like the connection is not using just tcp/443, you will need to permit the other ports.

Is this an application or just a website?

katheer4u · ‎09-06-2020

hi

yes this web site and some other ports also already permitted as per the clients and when the outside hit port 80 shout be redirect to https

i have already redirect URL inside server but i want do it in the firewall also

if you can help me i really appreciate

Marvin Rhoads · ‎09-06-2020

An ASA firewall cannot on its own send an http redirect (e.g., an "http 302" code) to the client that is connecting to an internal server from an external address.

While PAT can be used to change the destination port in the incoming traffic, that has nothing to do with application layer port redirection.