11-15-2012 12:32 PM - edited 03-11-2019 05:24 PM
Hello guys,
I have a problem, I´m trying to configure an ASA as shown in the attached scenario.
I need that all inside users to go to the proxy server on DMZ and from there they will go out to the internet.
Right now i have:
INSIDE INTERFACE
Access-list inside permit ip 10.1.1.0 255.255.255.0 host 11.1.1.6
DMZ INTERFACE
Access-list dmz permit ip host 11.1.1.6 any
OUTSIDE INTERFACE
Access-list outside permit ip any host <proxy server public ip>
REGARDING NAT I HAVE THE FOLLOWING:
Static (dmz,outside) <proxy server public> 11.1.1.6 netmask 255.255.255.255
My question would be if it would work with this configuration? Do i need to apply Nat on my inside hosts? Would all my inside hosts when reached the ASA will be send to the proxy and then through the proxy it will send them back to the ASA and then to the internet??
Thanks,
Tony
Solved! Go to Solution.
11-17-2012 05:22 AM
Correct, you would need to add static NAT to itself from inside to dmz.
For the access-list on the inside, once you know what port the inside host should be pointing to the proxy server for, then you can even tie it down to the specific port. Normally for proxy server, by default it uses port 8080, so you can configure as follows:
access-list inside permit tcp 10.1.1.0 255.255.255.0 host 11.1.1.6 eq 8080
Then also allow other services that the inside hosts needs (eg: dns, mail, ftp, etc).
With your configuration, yes, it will allow the inside host to access the proxy server, and proxy server will also have access to the internet.
11-16-2012 04:42 AM
No, the ASA will not redirect the web traffic automatically to your proxy server.
What proxy server are you using on the DMZ?
You would need to explicitly configure the DMZ proxy server as the proxy server on your inside host.
Plus, you would also need to configure the following static NAT statement to allow the traffic:
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
11-16-2012 11:02 AM
Hello Jennifer,
Thanks for your response. So basically i will need to add a static to allow trafic from inside to dmz without being natted. I don't know what proxy server it will be, the server would be managed by another party, but in my inside hosts i will need to set all the parameters to point to the proxy, once this done trafic will go out through the proxy server to the dmz interface of the ASA and then to the outside world, is that correct?
Do you think this configuration would work???
Outside = security 0
Inside = security 100
DMZ = security 50
static (dmz,outside)
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-list inside permit tcp 10.1.1.0 255.255.255.0 any
access-list dmz permit ip host 11.1.1.6 any
access-group inside in interface inside
access-group dmz in interface dmz
Basically with this configuration my web request will go to the proxy on the DMZ and then from there it will go out to the internet??
Thanks
11-17-2012 05:22 AM
Correct, you would need to add static NAT to itself from inside to dmz.
For the access-list on the inside, once you know what port the inside host should be pointing to the proxy server for, then you can even tie it down to the specific port. Normally for proxy server, by default it uses port 8080, so you can configure as follows:
access-list inside permit tcp 10.1.1.0 255.255.255.0 host 11.1.1.6 eq 8080
Then also allow other services that the inside hosts needs (eg: dns, mail, ftp, etc).
With your configuration, yes, it will allow the inside host to access the proxy server, and proxy server will also have access to the internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide