Solved: port 80 redirect to https

charlie.ford · ‎12-21-2011

Windows IIS server configured behind a Cisco ASA 5540 listening on port 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall. I have suggested moving it behind our content switch with negative results. Can we do this at the firewall level? If no, then a definitve answer would solve my problem. If yes, some suggestions on how to accomplish the redirect for a single site. 8.2.4 is current code. More info if you need!

Julio Carvajal · ‎12-21-2011

Hello Charlie,

Of course you can do this on your ASA.

Lets say the web-server ip addres is 192.168.2.11 and will be natted to 2.2.2.2.

So you want to redirect all traffic hitting 2.2.2.2 on port 80 to port 443 on 192.168.2.11.

Here is the configuration you need:

static (inside,outside) tcp 2.2.2.2 80 192.168.2.11 443

access-list outside_in permit tcp any host 2.2.2.2 eq 80

access-group outside_in in interface outside

Kind regards,

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-21-2011

Hello Charlie,

Of course you can do this on your ASA.

Lets say the web-server ip addres is 192.168.2.11 and will be natted to 2.2.2.2.

So you want to redirect all traffic hitting 2.2.2.2 on port 80 to port 443 on 192.168.2.11.

Here is the configuration you need:

static (inside,outside) tcp 2.2.2.2 80 192.168.2.11 443

access-list outside_in permit tcp any host 2.2.2.2 eq 80

access-group outside_in in interface outside

Kind regards,

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

charlie.ford · ‎12-21-2011

There was an error, please check below.

bashiru.bayonle · ‎10-21-2016

Hello All,

Please can someone help me to write this NAT in a format that ASA Version 9.1(2) understands

static (inside,outside) tcp 2.2.2.2 80 192.168.2.11 443

BR,

Thanks

charlie.ford · ‎12-21-2011

Let me rephrase this. The web site must allow port 80 and port 443 at the edge.

User "A' uses http and user "B" uses https, both users need to access port 443 on the IIS server within the network.

The access-list is would allow both 80 and 443 through but can we direct all calls to 443 no matter if they are http or https?

Julio Carvajal · ‎12-21-2011

Hello Charlie,

Got it!!!

Here is what you need:

access-list test permit tcp host 192.168.2.11 eq 443 any

static (inside,outside) tcp 2.2.2.2 443 192.168.2.11 443

static (inside,outside) tcp 2.2.2.2 80 access-list test

access-list outside_in permit tcp any host 2.2.2.2 eq 80

access-list outside_in permit tcp any host 2.2.2.2 eq 443

access-group outside_in in interface outside

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC