how do I filter and reroute web traffic to internal network?

Benjamin Van Ditmars
Benjamin Van Ditmars used Ask the Experts™
on
filter website traffic on asa 5500?
How do i check and reroute the http traffic to our public IP adres to the correct server internal.

The webmail should go to the mailserver and the websites to the webserver.
Is it possible to filter and reroute this traffic?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Not sure what you mean by "filter" in this context, but if you only have the one public IP address that is on your outside ASA interface to work with for inbound traffic, you won't be able to redirect TCP 80 (WWW) to both an internal web server and to the mail server.  You will have to use another port for one of them because the ASA cannot differentiate between the two servers to route the traffic properly when traffic comes in on the same port that is destined for two different servers.  For example,

static (inside,outside) tcp interface www 192.168.1.4 www netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.5 www netmask 255.255.255.255

the above two statements would take any inbound traffic from the Internet pointed to the public interface IP address on port TCP 80 and redirect it to TCP 80 on internal server 192.168.1.4.  It would also redirect any inbound traffic from the Internet pointed to the public interface IP address on port TCP 8080 and redirect it to TCP 80 on internal server 192.168.1.5.

Does this make sense?  Let me know if I need to clarify further...

Author

Commented:
I want to have several websites on more than 1 webserver.
intranet.mysite.nl should point to 192.168.40.1
webmail.mysite should point to 192.168.40.2
www.othersite.nl should point to 192.168.40.5
etc.
You will either need an individual public IP address per website or you will need to use different destination ports for people to hit inbound when they try to access a website...no other way around it on an ASA.  For example, if you only have a single public IP address already being used on the outside interface, then to use ports to access these websites, you could use a command syntax similar to what I already stated above:

static (inside,outside) tcp interface www 192.168.40.1 www netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.40.2 www netmask 255.255.255.255
static (inside,outside) tcp interface 9090 192.168.40.5 www netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq 9090
access-group outside_access_in in interface outside

Then once these commands are entered, a user on from the Internet would use the following URL to get to "intranet.mysite.nl":

http://<public_IP_address>

Subsequently, a user on from the Internet would use the following URL to get to "webmail.mysite.nl":

http://<public_IP_address>:8080

Finally, a user would use the following URL to get to "www.othersite.nl":

http://<public_IP_address>:9090
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Author

Commented:
Isn't it possible to reroute by the DNS name?
Like an ISA server can?  I think it must be possible?

Any comments?
Not on a PIX...

Author

Commented:
Using reverse proxy may do the job

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial