cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2775
Views
15
Helpful
15
Replies

Cisco ASA - How to configure two IIS server routing with 1 IP address?

alafever1
Level 1
Level 1

Hello Community,

I've in a bit of a bind here.  I am trying to release a QA server into our environment for a client.  We currently have a Web server already configured and working in the DMZ.  I've added the QA server into the DMZ as well.  The problem comes in because I only have one Public IP address I can use and I do not have the ability to add more to this network.  

I would like to setup the ASA to forward traffic received over a specific port to this QA server as opposed to the other Web server.  I am OK with having a www.urlhere.com:portnumber  type URL.  I've tried a couple of configurations but have not been able to get the URL to actually reach the QA server on the port I specify.  

I've added Access Rules and NAT rules with no success.  Can anyone give me an outline of what might be required for this setup?

1 Public IP

2 servers in DMZ with IIS

Thank you!

2 Accepted Solutions

Accepted Solutions

Tim Y
Level 1
Level 1

Hi,

Here is an example for you. In this example URL:1234 is used to NAT to the the QA server on port 80.

object service web
service tcp destination eq 80
!
object service qa_iis_web
service tcp destination eq 1234
!
object network qa_server
host 192.168.1.2
!
access-list outside_acl line 1 extended permit object qa_iis_web any object qa_server
!
nat (outside,dmz) source static any any destination static interface qa_server service qa_iis_web web unidirectional

Hope this helps!

Regards,

Tim

View solution in original post

Ah ok. I thought you wanted 443 and not 80. Good stuff! If you hadn't figured it out, the below troubleshooting question would have caught it:

Connect to the QA IIS from the inside using the inside IP on port 443. Does it work?

That would have failed since you wanted 80 all along, and then we'd realize it then too. Happy you have it working!

Regards,

Tim

View solution in original post

15 Replies 15

Tim Y
Level 1
Level 1

Hi,

Here is an example for you. In this example URL:1234 is used to NAT to the the QA server on port 80.

object service web
service tcp destination eq 80
!
object service qa_iis_web
service tcp destination eq 1234
!
object network qa_server
host 192.168.1.2
!
access-list outside_acl line 1 extended permit object qa_iis_web any object qa_server
!
nat (outside,dmz) source static any any destination static interface qa_server service qa_iis_web web unidirectional

Hope this helps!

Regards,

Tim

Thanks Tim - let me give this a try!

Would I need to change this last line to be nat(outside,dmz)?  The server doesn't reside on the inside network. 

nat (outside,dmz) source static any any destination static interface qa_server service web qa_iis_web unidirectional

Thank you!

Hi there,

Yes that is correct. If the server resides in the DMZ, then you must use (outside,dmz). Let me know how it goes.

Regards,

Tim

Please don't forget to rate useful posts and mark answers as correct.

Cool - I'm waiting for a good time to run the command.  I'll let you know how it goes.

Thanks for the quick reply :)

Command has been ran.  I still don't seem to be able to access the site using https://url.domain.com:55100

Still poking around...

object service web
service tcp destination eq 443
!
object service QA-SERVER-TCP55100
service tcp destination eq 55100
!
object network QA-SERVER
host 10.1.10.XX
!
access-list outside_acl line 1 extended permit object QA-SERVER-TCP55100 any object QA-SERVER
!
nat (outside,dmz) source static any any destination static interface QA-SERVER service web QA-SERVER-TCP55100 unidirectional

Hi,

Sorry, reverse the service order.

nat (outside,dmz) source static any any destination static interface QA-SERVER service QA-SERVER-TCP55100 web unidirectional

If it still doesn't work, please show me the output of:

- show run nat

- show xlate | i 10.1.10.XX

- show access-list outside_acl | i 10.1.10.XX

Attached!

Perhaps the service "web" should be a new service specifically to the 55100 port. That appears to be pointed to 443.

I think that did it!!!

Ah ok. I thought you wanted 443 and not 80. Good stuff! If you hadn't figured it out, the below troubleshooting question would have caught it:

Connect to the QA IIS from the inside using the inside IP on port 443. Does it work?

That would have failed since you wanted 80 all along, and then we'd realize it then too. Happy you have it working!

Regards,

Tim

I ended up using a completely nonstandard port of 55100.  :)

Now I have to do something similar to get RDP to go specifically to a port on that server.  I've changed the RDP listening port on the server...I think I can use the same set of rules we just did for the web service to make this RDP work.  

You've given me the groundwork I need to get this going I think. Thanks so much for your time and energy.

You're welcome. Just do the exact same thing for RDP.

If the port is 51000, when you're connecting via RDP from the internet, use: 

70.89.XX.XX:51000

Good luck!

Regards,

Tim

Nevermind! :)

Review Cisco Networking for a $25 gift card