cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2871
Views
0
Helpful
7
Replies

Redirecting all IP to a services on a different host

davcommunay
Level 1
Level 1

Dear All,

Suppose I want to redirect all connections from INSIDE(10.0.0.0/24) to OUTSIDE(any) on tcp port 80 to a server 172.2.2.2 in DMZ on port 3128, note that this port is not important as Linux can receive connexion on port 80 and redirect them to 3128 easily...

It is called transparent proxy i know this can be done with WCCP commands, BUT i d like to know if ASA was able to redirect destination connections this way.

This can also be very useful, imagine one of your MYSQL server is not accessible and you want to redirect all the connections to another server through the firewall without client re-configuration... (this is a good example as wccp won't be acceptable)

Please let me know...

Best regards,

David

1 Accepted Solution

Accepted Solutions

nat (Inside, Outside) 1 source static 10.0.0.0 [ip address to NAT source address to] destination static [ip address/subnet of destination] 172.2.2.2 service HTTP HTTP no-proxy-arp

If you want truly any service rather than just HTTP as the original service, then it would look like this:

nat (Inside, Outside) 1 source static 10.0.0.0 (ip address to NAT source address to) destination static (ip address/subnet of destination) 172.2.2.2 service any HTTP no-proxy-arp

Now while you are not going to ANY address as the original [the first set of brackets], you are able to do a subnet.  Since you said you wanted to do this so you didn't have to change client settings, then you obviously know what the address being used is.  Oh, the 1 after the "nat (Inside, Outside)" is the position of the NAT rule, so in your case, it may not be 1.

View solution in original post

7 Replies 7

lance_brown
Level 1
Level 1

You could do that as you can create a NAT to look at the source and destination IP's as well as the service, you can either then change none, one, two or all three of those in the NAT rule.

A better solution, use DNS.  All of the clients should be pointed towards a name and not an IP.  Then if the server fails, you update the DNS record and all of the clients will continue to work.

Hi,

I trust you when you say it is possible

But i would ike to know how ??? a practical example of a nat rule of that kind...

Otherwise i am agree that using DNS for this is better but i am more interested by the technical aspect of that NAT rules in ASA as it is so easy to do with iptables ...

Please let me know if you have the solution.

Best regards

Hello David,

What version of IOS are you running??

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nat (Inside, Outside) 1 source static 10.0.0.0 [ip address to NAT source address to] destination static [ip address/subnet of destination] 172.2.2.2 service HTTP HTTP no-proxy-arp

If you want truly any service rather than just HTTP as the original service, then it would look like this:

nat (Inside, Outside) 1 source static 10.0.0.0 (ip address to NAT source address to) destination static (ip address/subnet of destination) 172.2.2.2 service any HTTP no-proxy-arp

Now while you are not going to ANY address as the original [the first set of brackets], you are able to do a subnet.  Since you said you wanted to do this so you didn't have to change client settings, then you obviously know what the address being used is.  Oh, the 1 after the "nat (Inside, Outside)" is the position of the NAT rule, so in your case, it may not be 1.

Thank you for this i will try

Unfortunately, this does not work at all

# show version

Cisco Adaptive Security Appliance Software Version 8.3(1)

Device Manager Version 6.3(1)

These commands where not sucessfull, and even if i try to modify them at least 12 times).

So what i tried to do at first was redirecting all connections coming from my_computer to an IP called website going to port 80 being redirected to database on port mysql. OUF!

It looks like this

nat (inside,any) source static my_computer my_computer destination static website database service http mysql                                                                                                              

now if i try a telnet on the website on port 80 i should be redirected to database:3306 ?

telnet THE.IP.OF.WEBSITE 80

Trying THE.IP.OF.WEBSITE...                                                                                                                           

And nothing more...

If i check the logs during this time i can see:

"Bult outbound TCP connection 321212121 for outside:database_ip/3306 (website_ip/80) to inside:my_computer/50087 (mycomputer/50087)"

now i am COMPLETELY lost

1) Database IP is on INSIDE interface

2) website_IP is OUTSIDE (on the internet)

I am just trying to do DNAT but i can't figure out to find the solution..

Please help

You have three options.

1) Use packet-tracer and see why it fails or if it does really pass.

2) Create the NAT using ASDM and let it figure out the syntax for you.

3) Use DNS as this is what it was designed for.

Review Cisco Networking for a $25 gift card