05-11-2016 02:07 PM - edited 03-12-2019 12:44 AM
Hello Community,
I've in a bit of a bind here. I am trying to release a QA server into our environment for a client. We currently have a Web server already configured and working in the DMZ. I've added the QA server into the DMZ as well. The problem comes in because I only have one Public IP address I can use and I do not have the ability to add more to this network.
I would like to setup the ASA to forward traffic received over a specific port to this QA server as opposed to the other Web server. I am OK with having a www.urlhere.com:portnumber type URL. I've tried a couple of configurations but have not been able to get the URL to actually reach the QA server on the port I specify.
I've added Access Rules and NAT rules with no success. Can anyone give me an outline of what might be required for this setup?
1 Public IP
2 servers in DMZ with IIS
Thank you!
Solved! Go to Solution.
05-12-2016 06:08 AM
Hi,
Here is an example for you. In this example URL:1234 is used to NAT to the the QA server on port 80.
object service web
service tcp destination eq 80
!
object service qa_iis_web
service tcp destination eq 1234
!
object network qa_server
host 192.168.1.2
!
access-list outside_acl line 1 extended permit object qa_iis_web any object qa_server
!
nat (outside,dmz) source static any any destination static interface qa_server service qa_iis_web web unidirectional
Hope this helps!
Regards,
Tim
05-12-2016 01:10 PM
Ah ok. I thought you wanted 443 and not 80. Good stuff! If you hadn't figured it out, the below troubleshooting question would have caught it:
Connect to the QA IIS from the inside using the inside IP on port 443. Does it work?
That would have failed since you wanted 80 all along, and then we'd realize it then too. Happy you have it working!
Regards,
Tim
05-12-2016 06:08 AM
Hi,
Here is an example for you. In this example URL:1234 is used to NAT to the the QA server on port 80.
object service web
service tcp destination eq 80
!
object service qa_iis_web
service tcp destination eq 1234
!
object network qa_server
host 192.168.1.2
!
access-list outside_acl line 1 extended permit object qa_iis_web any object qa_server
!
nat (outside,dmz) source static any any destination static interface qa_server service qa_iis_web web unidirectional
Hope this helps!
Regards,
Tim
05-12-2016 06:08 AM
Thanks Tim - let me give this a try!
05-12-2016 10:28 AM
Would I need to change this last line to be nat(outside,dmz)? The server doesn't reside on the inside network.
nat (outside,dmz) source static any any destination static interface qa_server service web qa_iis_web unidirectional
Thank you!
05-12-2016 10:30 AM
Hi there,
Yes that is correct. If the server resides in the DMZ, then you must use (outside,dmz). Let me know how it goes.
Regards,
Tim
Please don't forget to rate useful posts and mark answers as correct.
05-12-2016 10:50 AM
Cool - I'm waiting for a good time to run the command. I'll let you know how it goes.
Thanks for the quick reply :)
05-12-2016 12:22 PM
Command has been ran. I still don't seem to be able to access the site using https://url.domain.com:55100
Still poking around...
object service web
service tcp destination eq 443
!
object service QA-SERVER-TCP55100
service tcp destination eq 55100
!
object network QA-SERVER
host 10.1.10.XX
!
access-list outside_acl line 1 extended permit object QA-SERVER-TCP55100 any object QA-SERVER
!
nat (outside,dmz) source static any any destination static interface QA-SERVER service web QA-SERVER-TCP55100 unidirectional
05-12-2016 12:26 PM
Hi,
Sorry, reverse the service order.
- show access-list outside_acl | i 10.1.10.XX
05-12-2016 12:46 PM
05-12-2016 12:57 PM
Perhaps the service "web" should be a new service specifically to the 55100 port. That appears to be pointed to 443.
05-12-2016 12:58 PM
05-12-2016 01:10 PM
Ah ok. I thought you wanted 443 and not 80. Good stuff! If you hadn't figured it out, the below troubleshooting question would have caught it:
Connect to the QA IIS from the inside using the inside IP on port 443. Does it work?
That would have failed since you wanted 80 all along, and then we'd realize it then too. Happy you have it working!
Regards,
Tim
05-12-2016 01:10 PM
I ended up using a completely nonstandard port of 55100. :)
Now I have to do something similar to get RDP to go specifically to a port on that server. I've changed the RDP listening port on the server...I think I can use the same set of rules we just did for the web service to make this RDP work.
You've given me the groundwork I need to get this going I think. Thanks so much for your time and energy.
05-12-2016 01:20 PM
You're welcome. Just do the exact same thing for RDP.
If the port is 51000, when you're connecting via RDP from the internet, use:
70.89.XX.XX:51000
Good luck!
Regards,
Tim
05-13-2016 12:01 PM
Nevermind! :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide