Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1747
Views
10
Helpful
7
Replies

PRI on ASA for inside traffic redirection

Go to solution
buffkata
Level 1
Level 1

‎10-02-2019 10:09 AM - edited ‎02-21-2020 09:33 AM

Hi,

Is it possible to apply  PBR on the dmz  interface(on ASA 9.8(3)) and use it to re-route traffic directed to the inside interface but change the destination IP address in the process. Basically we need to temporary change the destination(redirect) from 10.10.0.11 to 10.10.0.22.

 

Will Something like this work  :

 

access-list PBR_ACL extended permit tcp host 192.168.33.22 10.10.0.22 eq https

 

route-map PBR_MAP permit 10
 match ip address PBR_MAP
 set ip next-hoop 10.10.0.22
       or  set ip next-hop recursive 10.10.0.22 ????
 set interface inside

 

interface Ethernet0/8
policy-route route-map PBR_MAP

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to buffkata

‎10-02-2019 01:21 PM

Redirection (changing the way that we forward a packet) is certainly possible using PBR. But changing the destination address is not just redirection and would require more of something like a proxy. I do not know of a way to do that on ASA.

 

HTH

 

Rick

HTH

Rick

View solution in original post

7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-02-2019 12:10 PM

While PBR is supported on current versions of code on ASA it will not do what you want it to do. PBR can change the next hop. But it can not change the destination address. 

 

HTH

 

Rick

HTH

Rick

Go to solution
buffkata
Level 1
Level 1
In response to Richard Burts

‎10-02-2019 12:40 PM

Thank you,

Is there something else that can be used on the ASA to accomplish this traffic redirection based on source and destination IPs ?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to buffkata

‎10-02-2019 01:21 PM

Redirection (changing the way that we forward a packet) is certainly possible using PBR. But changing the destination address is not just redirection and would require more of something like a proxy. I do not know of a way to do that on ASA.

 

HTH

 

Rick

HTH

Rick

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎10-02-2019 02:47 PM

I am glad that my responses have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
bhargavdesai
Spotlight
Spotlight

‎10-03-2019 05:41 AM

With all due respect to experts, I am not expert but I think you need can achieve with NAT configuration. But to be sure you need to be more detail about the network and what exactly you want to achieve.


HTH
### RATE ALL HELPFUL RESPONSES ###
0 Helpful

Go to solution
buffkata
Level 1
Level 1
In response to bhargavdesai

‎10-07-2019 05:38 PM

ok, let see:

we have a DMZ web server that needs to talk to an inside server over port 80 but if he talks over port 443 we need to redirect the traffic to a second inside server.  The redirection cannot be done  on the dmz server.

 

0 Helpful

Go to solution
bhargavdesai
Spotlight
Spotlight
In response to buffkata

‎10-09-2019 01:58 AM

From your input this is what I understood, correct me if I am wrong.
You have a Server in DMZ with IP address 172.16.0.10 which is communicating to an INSIDE server 10.10.10.10 over port 80 and 443.

You want that when DMZ server 172.16.0.10 send request over Port 80 to Inside Server 10.10.10.10 it should go to a Server 10.10.10.11 Port 80
And if DMZ server 172.16.0.10 send request over Port 443 to inside Server 10.10.10.10 it should go to a Server 10.10.10.12 Port 443

If this is what you want to achieve. I can say, You can do that. But, BEWARE this is not a redirection we are not changing the service from HTTP to HTTPS. We are just selecting server based on the service. HTTP or HTTPS.

Based on this, Find the configuration below.
=======
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
object network IN-10.10.10.10
host 10.10.10.10
object network IN-10.10.10.11
host 10.10.10.11
object network IN-10.10.10.12
host 10.10.10.12
object network DMZ-172.16.0.10
host 172.16.0.10
object service HTTP
service tcp destination eq www
object service HTTPS
service tcp destination eq https
!
nat (DMZ,INSIDE) source static DMZ-172.16.0.10 DMZ-172.16.0.10 destination static IN-10.10.10.10 IN-10.10.10.11 service HTTP HTTP
nat (DMZ,INSIDE) source static DMZ-172.16.0.10 DMZ-172.16.0.10 destination static IN-10.10.10.10 IN-10.10.10.12 service HTTPS HTTPS
!
access-list DMZ-IN extended permit tcp object DMZ-172.16.0.10 object IN-10.10.10.11 eq www
access-list DMZ-IN extended permit tcp object DMZ-172.16.0.10 object IN-10.10.10.12 eq https
!
access-group DMZ-IN in interface DMZ
!
=======
This is just a configuration example you have to make necessary changes according to your setup and requirements.

I hope this helps you and I am looking forward for your response.

HTH
### RATE ALL HELPFUL RESPONSES ###
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card