Cisco ASA5505 NAT Rule and Reverse Proxy

I have attached my current running-config just to show my current configuration.  Specifically, just want to make sure the netmask you indicate will work in my environment.  My outside subnet is 255.255.255.248.  I am assuming the 255.255.255.255 is okay.  My current running config shows how I have it set up and working today.  Thanks for the clarification.

Regarding the reverse proxy.  If I understand correctly, Reverse Proxy on an ASA is just another NAT rule, correct?  The jist of Reverse Proxy is to just proxy in-bound traffic (traffic from the outside to an internal IP (or Server), correct?  

Basically, I am setting up a Test Office Communications Server.  Recommended way is to use ISA to handle the proxy, but I want to just do it on the ASA for the time being.

ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.149.66.201 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
access-group INSIDE in interface inside

route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa#

Select allOpen in new window

Regarding the reverse proxy, did you mean:
static (inside,outside) 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255

instead of:
static (inside,outside) 75.149.66.203 80 192.168.1.42 netmask 255.255.255.255

Why do you mention I need another static?

yup thts right!!

after posting, I see that others have already commented...

I understood what you meant by reverse proxy, was that you want outbound traffic to appear on a specific address. On reading the extra that you have added, I think you might just want another static NAT...

ArneLovius, do the commands you posted do the exact same thing the commands ullas_unni posted?  Meaning I can run either to get the same results.

Thanks again -

Sorry, last question - does this command need the "tcp" in front of the external IP:

static (inside,outside) 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255

I.E.
static (inside,outside) tcp 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255

not necessary.. but may i know what port will it be using??

Not sure on the port, but that is simply indicating the right port on these commands, right?

static (inside,outside) 75.149.66.205 <port> 192.168.1.40 <port> netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port>

access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port no> *

* you dint mention the port it uses??

ok so this is how it works if you have static (inside,outside) tcp ... then you need to mention the ports otherwise if you have static(inside,outside) without the tcp then it takes for all ports.. basically ip...
so either you can mention the port on the access-list or the static.

static (inside,outside) tcp 75.149.66.205  192.168.1.40  netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq  

ignore the extra 3 <port> after the accesslist.. it was a typo...

yes it is functionally the same, but with a layer of abstraction, which can help make it clearer (or make it worse depending on your view)

ok if you know the ports this should be it:
static (inside,outside) tcp 75.149.66.205 <port> 192.168.1.40 <port> netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port>

if you  dont know the ports:
static (inside,outside) 75.149.66.205 192.168.1.40 netmask 255.255.255.255
access-list outside-access-in extended permit ip any host 75.149.66.205

knowing the ports makes it more secure since you only open the required ports and block communications in any other ports for that ip

Thanks a lot.