Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1383
Views
0
Helpful
2
Replies

Conditional NAT - How-TO (ASA)

otes.admin
Level 1
Level 1

‎06-13-2016 12:50 PM - edited ‎03-12-2019 12:52 AM

I am not sure if I need an NAT based access-list, route map, twice NAT, or an object based NAT. I've done some reading and I feel like ACL or route-map NAT is the way to go but am looking for guidance. 

My situation is:

  • ASA 5510 Active/Passive
  • Cisco Adaptive Security Appliance Software Version 8.4(7)31.
  • We own "www.mysite.com" and we want all partners to continue to use "www.mysite.com"
  • We have a partner with an application (Client_A)  that isn't compliant with modern SSL cert requirements. We want to redirect them to a site with our depreciated cert so we can move our other partners to the main site so we can upgrade their SSL cert. 
  • We would go with SNI on apache as a solution but the partner's software potentially won't work with that either. We need to handle this at the firewall and take control of the solution ourselves without adding more work for our developers, web team, etc. 
  • What we will have to do is have partner A access the same dns name and redirect them to another virtual site on another port on the same server as the remaining traffic (let's say port 7443 for Client A)
  • We want the remaining traffic to continue unchanged, to port 443, on the same server that client_A will hit
  • We are not asking the partner to make the change as it requires layers of approval found in giant organizations. We are small and agile and prefer to just force their traffic where we need to. We have all their source IP address ranges. 

So we have client_A (group of network IP ranges) and the rest of the world (any). 

I need something like:

access-list NAT_WWW extended permit tcp object-group client_A eq 443 host 192.0.2.10 eq 7443

access-list NAT_WWW extended permit tcp any eq 443 host 192.0.2.10 eq 443

static (inside,outside) NAT_WWW (however this gets worded)

Let's say the internal server is 10.10.10.10. Where does that fit in to the picture?

Feel free to throw in other suggestions of how to do it with a workable example, either completing this method or demonstrating a different method. I've tried a few variations with a spare IP and a test internet connection and can't seem to get it right.

Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎06-16-2016 08:10 PM

Hi

you want to redirect traffic to specific server based on source ip?

i've answered a post quite similar but it was based on service port used. The minding is quite the same.

take a look on this post: 

https://supportforums.cisco.com/discussion/13046096/how-natchange-destination-ip-and-port

Do I understand well your issue?

let me know.

thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

otes.admin
Level 1
Level 1
In response to Francesco Molino

‎06-17-2016 09:34 AM

Correct.

External_Partner_A to MY_External_IP eq 443 to Internal_Server_A eq 7443

Any to MY_EXTERNAL_IP eq 443 to Internal_Server_A eq 443

Make sense?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card