Solved: Forwarding of HTTP to two internal HTTP servers

rga-rga-rga · ‎10-03-2011

We have Cisco ASA 5505, 90.x.y.2/29 IP is assigned to ourside interface.

We have one internal HTTP server so that I use

static (inside,outside) tcp interface www 172.16.0.10 www netmask 255.255.255.255

to forward all incomming HTTP traffic to internal HTTP server 1.

Now we need to add new physical HTTP server 2 so that I would like to forward

HTTP traffic to e.g. 90.x.y.3/29 to 172.16.0.11.

How can I do that? See scenario image (scenario.png) if needed.

wilrow113 · ‎10-03-2011

you can do this several ways

you could map the internal server to the ip address and allow trafice in on your acl

static (inside,outside) 90.x.y.3 172.16.0.x 255.255.255.255

then an acl on the outside interface in bound for web traffic

View solution in original post

Jon Marshall · ‎10-03-2011

Configure the new static as you have the existing static -

static (inside,outside) tcp 90.x.y.3 www 172.16.0.11 www

note that you should still use an acl to limit only http traffic to the address.

Jon

View solution in original post

Jon Marshall · ‎10-03-2011

Not sure i follow.

You would need to add -

access-list acl_inbound_outside permit tcp any host 90.x.y.3 object-group og_service_webserver_permit

Jon

View solution in original post

wilrow113 · ‎10-03-2011

you would needed static entrys for the https as well

static (inside,outside) tcp interface https 172.16.0.10 https netmask 255.255.255.255

static (inside,outside) tcp 90.x.y.3 https 172.16.0.11 https netmask 255.255.255.255

and as jon said above at the acl to allow trafic to the servers

View solution in original post

wilrow113 · ‎10-03-2011

you can do this several ways

you could map the internal server to the ip address and allow trafice in on your acl

static (inside,outside) 90.x.y.3 172.16.0.x 255.255.255.255

then an acl on the outside interface in bound for web traffic

rga-rga-rga · ‎10-03-2011

And best/recommended solution if I want to forward (for security reasons) http/https only?

Jon Marshall · ‎10-03-2011

Configure the new static as you have the existing static -

static (inside,outside) tcp 90.x.y.3 www 172.16.0.11 www

note that you should still use an acl to limit only http traffic to the address.

Jon

rga-rga-rga · ‎10-03-2011

Well, I will have this configuration:

interface Vlan2
 nameif outside
 security-level 0
 ip address 90.x.y.2 255.255.255.248

static (inside,outside) tcp interface www 172.16.0.10 www netmask 255.255.255.255
static (inside,outside) tcp 90.x.y.3 www 172.16.0.11 www netmask 255.255.255.255

object-group service og_service_webserver_permit tcp
  description permit HTTP (80/tcp) and HTTPS (443/tcp)
  port-object eq www
  port-object eq https

access-list acl_inbound_outside extended permit tcp any interface outside object-group og_service_webserver_permit

access-group acl_inbound_outside in interface outside

Does acl_inbound_outside apply to second static mapping as well when interface outside is used? Or do I have to add:

access-list acl_inbound_outside extended permit tcp any 90.x.y.3 255.255.255.255 object-group og_service_webserver_permit

as well?

Jon Marshall · ‎10-03-2011

Not sure i follow.

You would need to add -

access-list acl_inbound_outside permit tcp any host 90.x.y.3 object-group og_service_webserver_permit

Jon

wilrow113 · ‎10-03-2011

you would needed static entrys for the https as well

static (inside,outside) tcp interface https 172.16.0.10 https netmask 255.255.255.255

static (inside,outside) tcp 90.x.y.3 https 172.16.0.11 https netmask 255.255.255.255

and as jon said above at the acl to allow trafic to the servers