Need rules to foward HTTPS traffic based on source IP

mattkl3com · ‎08-06-2010

I have a Cisco ASA 5505, and I'm trying to forward HTTPS traffic to one internal server if it comes from either of two external networks (i.e. X.Y.0.0/16 and C.0.0.0/8), and to a different server if it comes from anywhere else.

Can anyone provide me with the Policy Static PAT (?) or whatever commands to accomplish this? Thanks!

Kureli Sankar · ‎08-06-2010

CSCso79009 ENH: Policy static nat should check inbound source IP address w/ACL
This defect is not resolved yet.

It may not work for you if configured. This is how you would configure it though.

static (inside,outside) tcp 1.1.1.1 443 access-list from-server-A

access-list from-server-A per tcp 10.10.1.1 eq 443 A.A.A.A

The above line will make the firewall receive all 443 traffic destined to 1.1.1.1 from the internet address A.A.A.A to the server on the inside 10.10.1.1

static (inside,outside) tcp 2.2.2.2 443 access-list from-all-other-ips

access-list from-all-outher-ips per tcp 10.10.2.2 eq 443 any

The above lines will make the firewall receive all 443 traffic destined to 2.2.2.2 from all other internet addresses to the server on the inside 10.10.2.2

Unfortunately due to the defect this may not work.

-KS

Jon Marshall · ‎08-06-2010

mattkl3com wrote:

I have a Cisco ASA 5505, and I'm trying to forward HTTPS traffic to one internal server if it comes from either of two external networks (i.e. X.Y.0.0/16 and C.0.0.0/8), and to a different server if it comes from anywhere else.

Can anyone provide me with the Policy Static PAT (?) or whatever commands to accomplish this? Thanks!

Matt

You can't do this on an ASA. What you need is PBR (Policy Based Routing) which is the ability to forward traffic based on something other than just the destination IP address, in your case the source IP.

But the ASA does not support PBR although believe me a lot of people wish it did. For PBR you need a router.

Jon