Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3834
Views
0
Helpful
2
Replies

Running a Reverse Proxy at DMZ with a single public IP Address Only

kanewong@hotmail.com
Level 1
Level 1

‎01-05-2018 03:27 PM - edited ‎03-12-2019 04:52 AM

Hi every Cisco experts;

 

I am facing a scenario need to find out the best practice to implement and doing the configuration on my ASA 51xx series firewall.  There are three interface on my ASA (Outside, DMZ, Inside).

My ISP provide me a single public IP address only which I configured on "Outside", for example; this single public ip is "201.201.201.100".

Now, I have multiple web server, email server, etc.  Also, I am using SSLVPN on ASA in which I configured another port like 88443 for SSLVPN.  Because only one public ip address is provided by ISP, I would like to setup a Reverse Proxy server at DMZ and redirect all traffic back to all relevant web server at "Inside".

My reverse proxy server at DMZ; ip address is 192.168.10.10

My public web server at DMZ; ip address is 192.168.10.20

My internal web server ip address is 192.168.20.1

My internal email server ip address is 192.168.20.2

The Outside interface ip address on ASA is 201.201.201.100

 

when I tried to use this command for natting, I got "overlapping" warning.

 

hostname (config)# object network DMZ_ReverseProxy

hostname (config-network-object)# host 192.168.10.10

hostname (config-network-object)# nat (dmz,outside) static 201.201.201.100 service tcp http http

 

How can I implement this configuration...

1. if traffic for port 88443 (SSLVPN), it will terminate at ASA for SSLVPN purpose.

2. if traffic for port 80 and port 443, it will be forwarded to my Reverse Proxy (192.168.10.10), then my reverse proxy server will forward https to 192.168.20.1 at "Inside" and forward http to 192.168.10.20 at "DMZ" relatively.

3. if traffic for port 25, ASA should forward to email server 192.168.20.2

 

What kind of NAT/PAT should be used and how?

 

thanks in advance.

 

Please giving me some idea.

thanks!

Labels:
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎01-06-2018 04:58 AM

this won't work in ASA. ASA has a restriction in redirection which limits
it to work only if both proxy and lan in same subnet. Otherwise ASA will
drop the traffic. This is the case if you try wccp redirection or pbr.

For the nat, try the following:

nat (dmz,outside) static x.x.x.x no-proxy-arp service tcp www www
0 Helpful

kanewong@hotmail.com
Level 1
Level 1
In response to Mohammed al Baqari

‎01-07-2018 05:54 PM

My Reverse Proxy has two legs, one is on DMZ, and one is on LAN side.

0 Helpful
Customers Also Viewed These Support Documents