Direct traffic based on source URL

Michael Kim · ‎10-16-2011

Hello,

Has anyone configured their Cisco ASA to do port based forwarding based on the incoming URL address? By this I mean lets say I have a web page hosted on the Internet with two links 1) www.website1.com 2) www.website2.com. Let's assume I have a Cisco ASA with a single useable IP address to the Internet (OUTSIDE interface). I also have two web servers on the DMZ interface on the same ASA. Is it possible to configure the ASA to port foward incoming traffic to a particular DMZ web host (port 80) based on the link they clicked? So if a user click on link www.website1.com then traffic would be fowarded to DMA web server1 and if the same user clicks on www.website2.com then the ASA would direct traffic to DMZ web server2?

Note that in this scenario only a single ip address exists to the Internet. Can this be done with static NAT'ing? Running 8.2.2 firmware.

Thanks in advance.

Julio Carvajal · ‎10-16-2011

Hello,

Lets say Outside Ip address is 162.10.10.2,DMZ_Server_1 is 192.168.10.2, DMZ_Server_2 is 192.168.10.3.

So the configuration on 8.2.2 required to allow this would be:

Static (Dmz,outside) tcp interface 80 192.168.10.2 80

Static (Dmz,outside) tcp interface 8080 192.168.10.3 80

Access-list outside_in permit tcp any host 162.10.10.2 eq 80

Access-list outside_in permit tcp any host 162.10.10.2 eq 8080

Access-group outside_in in interface outside

Hope this helps,

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Michael Kim · ‎10-16-2011

Thanks for the reply Julio.

Question: Based on the config you have given above how does the ASA know that to which DMZ web server to direct the incoming connection? To put it another way if a user types into their browser www.website2.com how does the ASA determine that it should go to 192.168.10.3 instead of 192.168.10.2?

I was half expecting that the ASA would "read" the URL address and use that as a determination to direct the incoming connection to the apporpriate DMZ web server.

Thanks,

Mike

Julio Carvajal · ‎10-16-2011

Hello,

The thing is that as long as I know the ASA cannot make portforwarding based on an URL. That is why we would need to use the IP address of the webserver.

Now each domain has an Ip address right, that is why we use the Domain name system(DNS),and in this case 192.168.10.2 and .3 are going to be linked to www.website1.com and www.website2.com.

So as soon as the ASA sees a request going to those address is going to redirect the traffic to that server.

By the way if you want to access these servers from the inside network or the DMZ network using the Public IP you will need to do DNS Doctoring.

Here is one document that explains this Feature ( DNS doctoring)

http://www.techrepublic.com/blog/networking/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/1140

Hope this helps,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Michael Kim · ‎10-16-2011

It's disappointing that the ASA can not port foward traffic from the outside based on URL. We are currently using a Microsoft ISA server that is able to direct traffic based upon the source URL (so i'm told).

Thanks for the link on DNS Doctoring as that was another issue I was going to try and tackle.

Mike

Julio Carvajal · ‎10-16-2011

Hello,

I am glad the DNS doctoring document help you.

You do not have to worry regarding the URL issue, the set up is going to work, I believe that at this moment you have 2 domain names for those servers on the dmz and each domain name is linked to an IP address so anyone on the outside is going to be able to access the webserver using the URL.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC