12-21-2011 09:22 AM - edited 03-11-2019 03:04 PM
Windows IIS server configured behind a Cisco ASA 5540 listening on port 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall. I have suggested moving it behind our content switch with negative results. Can we do this at the firewall level? If no, then a definitve answer would solve my problem. If yes, some suggestions on how to accomplish the redirect for a single site. 8.2.4 is current code. More info if you need!
Solved! Go to Solution.
12-21-2011 09:36 AM
Hello Charlie,
Of course you can do this on your ASA.
Lets say the web-server ip addres is 192.168.2.11 and will be natted to 2.2.2.2.
So you want to redirect all traffic hitting 2.2.2.2 on port 80 to port 443 on 192.168.2.11.
Here is the configuration you need:
static (inside,outside) tcp 2.2.2.2 80 192.168.2.11 443
access-list outside_in permit tcp any host 2.2.2.2 eq 80
access-group outside_in in interface outside
Kind regards,
Please rate helpful posts,
Julio
12-21-2011 09:36 AM
Hello Charlie,
Of course you can do this on your ASA.
Lets say the web-server ip addres is 192.168.2.11 and will be natted to 2.2.2.2.
So you want to redirect all traffic hitting 2.2.2.2 on port 80 to port 443 on 192.168.2.11.
Here is the configuration you need:
static (inside,outside) tcp 2.2.2.2 80 192.168.2.11 443
access-list outside_in permit tcp any host 2.2.2.2 eq 80
access-group outside_in in interface outside
Kind regards,
Please rate helpful posts,
Julio
12-21-2011 12:48 PM
There was an error, please check below.
10-21-2016 08:21 AM
Hello All,
Please can someone help me to write this NAT in a format that ASA Version 9.1(2) understands
static (inside,outside) tcp 2.2.2.2 80 192.168.2.11 443
BR,
Thanks
12-21-2011 12:44 PM
Let me rephrase this. The web site must allow port 80 and port 443 at the edge.
User "A' uses http and user "B" uses https, both users need to access port 443 on the IIS server within the network.
The access-list is would allow both 80 and 443 through but can we direct all calls to 443 no matter if they are http or https?
12-21-2011 12:49 PM
Hello Charlie,
Got it!!!
Here is what you need:
access-list test permit tcp host 192.168.2.11 eq 443 any
static (inside,outside) tcp 2.2.2.2 443 192.168.2.11 443
static (inside,outside) tcp 2.2.2.2 80 access-list test
access-list outside_in permit tcp any host 2.2.2.2 eq 80
access-list outside_in permit tcp any host 2.2.2.2 eq 443
access-group outside_in in interface outside
Please rate helpful posts.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide