02-09-2009 08:40 AM - edited 03-09-2019 10:01 PM
Hello all.
We have an ASA5510 and we need to configure it to allow the following scenario:
We already have acls and nat configured on ASA to provide access on our first web server (OUTSIDE => DMZ). It is working fine.
Now, we have a web application that will be executed in another web server (placed in the same DMZ that the first web server) and we don't know what is necessary to configure ASA.
We have an IIS server installed on our first web server with our web page www.example.com. We will define a new virtual directory www.exmaple.com/application to execute the new web application on the second web server.
On IIS new virtual directory we are using âRedirect to URLâ option, pointing to valid IP reserved to our second web server (new).???
We already have configured on ASA an Inside network 192.168.1.0/24, a DMZ 10.0.0.0/24 and an Outside obviously.
Could you please help us with the ASA configuration for web access on this second web server?
Solved! Go to Solution.
02-09-2009 11:36 AM
OK here's the rub. You cannot NAT to the same front end address to the back end address unless you do Port address mapping. Even then, you are restricted to ports on the outside mapping to different ports on the inside I.E.
port 80 outside maps to 8080 on the DMZ and port 8000 maps to port 8000 on the DMZ.
So technically, you could nat to the same address if you just are going to and from different ports.
So outside port 80 maps to inside 8000
redirect to outside address on port 8080,
that can be mapped to the same address on 8080 to the same DMZ host.
-C
02-09-2009 10:39 AM
Sounds like you just need a nat for the second address of WS2 and to open up those ports inbound to the DMZ
02-09-2009 11:30 AM
1. Would be necessary we have a second valid IP on this scenario for WS2?? or can we use the same valid IP used on the WS1 and use a Dynamic nat for two ip address of DMZ??
02-09-2009 11:36 AM
OK here's the rub. You cannot NAT to the same front end address to the back end address unless you do Port address mapping. Even then, you are restricted to ports on the outside mapping to different ports on the inside I.E.
port 80 outside maps to 8080 on the DMZ and port 8000 maps to port 8000 on the DMZ.
So technically, you could nat to the same address if you just are going to and from different ports.
So outside port 80 maps to inside 8000
redirect to outside address on port 8080,
that can be mapped to the same address on 8080 to the same DMZ host.
-C
02-10-2009 11:43 AM
Thank you so much!
Your tips are working fine.
Our WS2 is already on-line.
02-10-2009 04:14 PM
Glad to hear it!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide