10-16-2011 06:06 PM - edited 03-11-2019 02:38 PM
Hello,
Has anyone configured their Cisco ASA to do port based forwarding based on the incoming URL address? By this I mean lets say I have a web page hosted on the Internet with two links 1) www.website1.com 2) www.website2.com. Let's assume I have a Cisco ASA with a single useable IP address to the Internet (OUTSIDE interface). I also have two web servers on the DMZ interface on the same ASA. Is it possible to configure the ASA to port foward incoming traffic to a particular DMZ web host (port 80) based on the link they clicked? So if a user click on link www.website1.com then traffic would be fowarded to DMA web server1 and if the same user clicks on www.website2.com then the ASA would direct traffic to DMZ web server2?
Note that in this scenario only a single ip address exists to the Internet. Can this be done with static NAT'ing? Running 8.2.2 firmware.
Thanks in advance.
10-16-2011 07:00 PM
Hello,
Lets say Outside Ip address is 162.10.10.2,DMZ_Server_1 is 192.168.10.2, DMZ_Server_2 is 192.168.10.3.
So the configuration on 8.2.2 required to allow this would be:
Static (Dmz,outside) tcp interface 80 192.168.10.2 80
Static (Dmz,outside) tcp interface 8080 192.168.10.3 80
Access-list outside_in permit tcp any host 162.10.10.2 eq 80
Access-list outside_in permit tcp any host 162.10.10.2 eq 8080
Access-group outside_in in interface outside
Hope this helps,
Have a great day,
Julio
10-16-2011 07:16 PM
Thanks for the reply Julio.
Question: Based on the config you have given above how does the ASA know that to which DMZ web server to direct the incoming connection? To put it another way if a user types into their browser www.website2.com how does the ASA determine that it should go to 192.168.10.3 instead of 192.168.10.2?
I was half expecting that the ASA would "read" the URL address and use that as a determination to direct the incoming connection to the apporpriate DMZ web server.
Thanks,
Mike
10-16-2011 07:43 PM
Hello,
The thing is that as long as I know the ASA cannot make portforwarding based on an URL. That is why we would need to use the IP address of the webserver.
Now each domain has an Ip address right, that is why we use the Domain name system(DNS),and in this case 192.168.10.2 and .3 are going to be linked to www.website1.com and www.website2.com.
So as soon as the ASA sees a request going to those address is going to redirect the traffic to that server.
By the way if you want to access these servers from the inside network or the DMZ network using the Public IP you will need to do DNS Doctoring.
Here is one document that explains this Feature ( DNS doctoring)
Hope this helps,
Julio
10-16-2011 07:56 PM
It's disappointing that the ASA can not port foward traffic from the outside based on URL. We are currently using a Microsoft ISA server that is able to direct traffic based upon the source URL (so i'm told).
Thanks for the link on DNS Doctoring as that was another issue I was going to try and tackle.
Mike
10-16-2011 10:03 PM
Hello,
I am glad the DNS doctoring document help you.
You do not have to worry regarding the URL issue, the set up is going to work, I believe that at this moment you have 2 domain names for those servers on the dmz and each domain name is linked to an IP address so anyone on the outside is going to be able to access the webserver using the URL.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide