Solved: Cisco ASA - How to configure two IIS server routing with 1 IP address?

alafever1 · ‎05-11-2016

Hello Community,

I've in a bit of a bind here. I am trying to release a QA server into our environment for a client. We currently have a Web server already configured and working in the DMZ. I've added the QA server into the DMZ as well. The problem comes in because I only have one Public IP address I can use and I do not have the ability to add more to this network.

I would like to setup the ASA to forward traffic received over a specific port to this QA server as opposed to the other Web server. I am OK with having a www.urlhere.com:portnumber type URL. I've tried a couple of configurations but have not been able to get the URL to actually reach the QA server on the port I specify.

I've added Access Rules and NAT rules with no success. Can anyone give me an outline of what might be required for this setup?

1 Public IP

2 servers in DMZ with IIS

Thank you!

Tim Y · ‎05-12-2016

Hi,

Here is an example for you. In this example URL:1234 is used to NAT to the the QA server on port 80.

object service web
service tcp destination eq 80
!
object service qa_iis_web
service tcp destination eq 1234
!
object network qa_server
host 192.168.1.2
!
access-list outside_acl line 1 extended permit object qa_iis_web any object qa_server
!
nat (outside,dmz) source static any any destination static interface qa_server service qa_iis_web web unidirectional

Hope this helps!

Regards,

Tim

View solution in original post

Tim Y · ‎05-12-2016

Ah ok. I thought you wanted 443 and not 80. Good stuff! If you hadn't figured it out, the below troubleshooting question would have caught it:

Connect to the QA IIS from the inside using the inside IP on port 443. Does it work?

That would have failed since you wanted 80 all along, and then we'd realize it then too. Happy you have it working!

Regards,

Tim

View solution in original post

Tim Y · ‎05-12-2016

Hi,

Here is an example for you. In this example URL:1234 is used to NAT to the the QA server on port 80.

object service web
service tcp destination eq 80
!
object service qa_iis_web
service tcp destination eq 1234
!
object network qa_server
host 192.168.1.2
!
access-list outside_acl line 1 extended permit object qa_iis_web any object qa_server
!
nat (outside,dmz) source static any any destination static interface qa_server service qa_iis_web web unidirectional

Hope this helps!

Regards,

Tim

alafever1 · ‎05-12-2016

Thanks Tim - let me give this a try!

alafever1 · ‎05-12-2016

Would I need to change this last line to be nat(outside,dmz)? The server doesn't reside on the inside network.

nat (outside,dmz) source static any any destination static interface qa_server service web qa_iis_web unidirectional

Thank you!

Tim Y · ‎05-12-2016

Hi there,

Yes that is correct. If the server resides in the DMZ, then you must use (outside,dmz). Let me know how it goes.

Regards,

Tim

Please don't forget to rate useful posts and mark answers as correct.

alafever1 · ‎05-12-2016

Cool - I'm waiting for a good time to run the command. I'll let you know how it goes.

Thanks for the quick reply :)

alafever1 · ‎05-12-2016

Command has been ran. I still don't seem to be able to access the site using https://url.domain.com:55100

Still poking around...

object service web
service tcp destination eq 443
!
object service QA-SERVER-TCP55100
service tcp destination eq 55100
!
object network QA-SERVER
host 10.1.10.XX
!
access-list outside_acl line 1 extended permit object QA-SERVER-TCP55100 any object QA-SERVER
!
nat (outside,dmz) source static any any destination static interface QA-SERVER service web QA-SERVER-TCP55100 unidirectional

Tim Y · ‎05-12-2016

Hi,

Sorry, reverse the service order.

nat (outside,dmz) source static any any destination static interface QA-SERVER service QA-SERVER-TCP55100 web unidirectional

If it still doesn't work, please show me the output of:

- show run nat

- show xlate | i 10.1.10.XX

- show access-list outside_acl | i 10.1.10.XX

alafever1 · ‎05-12-2016

Attached!

alafever1 · ‎05-12-2016

Perhaps the service "web" should be a new service specifically to the 55100 port. That appears to be pointed to 443.

alafever1 · ‎05-12-2016

I think that did it!!!

Tim Y · ‎05-12-2016

Ah ok. I thought you wanted 443 and not 80. Good stuff! If you hadn't figured it out, the below troubleshooting question would have caught it:

Connect to the QA IIS from the inside using the inside IP on port 443. Does it work?

That would have failed since you wanted 80 all along, and then we'd realize it then too. Happy you have it working!

Regards,

Tim

alafever1 · ‎05-12-2016

I ended up using a completely nonstandard port of 55100. :)

Now I have to do something similar to get RDP to go specifically to a port on that server. I've changed the RDP listening port on the server...I think I can use the same set of rules we just did for the web service to make this RDP work.

You've given me the groundwork I need to get this going I think. Thanks so much for your time and energy.

Tim Y · ‎05-12-2016

You're welcome. Just do the exact same thing for RDP.

If the port is 51000, when you're connecting via RDP from the internet, use:

70.89.XX.XX:51000

Good luck!

Regards,

Tim

alafever1 · ‎05-13-2016

Nevermind! :)