obautista
asked on
Cisco ASA5505 NAT Rule and Reverse Proxy
Wondering if someone can help me with the proper commands to run on a ASA5505 to create some NAT Rules and a Reverse Proxy. I am still in the process of learning. Your help is very much appreciated.
Public IP Local IP
75.149.66.202 => 192.168.1.41 on Port# 5061 and 443
75.149.66.203 => 192.168.1.42 on Port# 443
75.149.66.204 => 192.168.1.43 on Port# 443
Reverse Proxy:
Public IP Local IP
75.149.66.205 => 192.168.1.40
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Regarding the reverse proxy, did you mean:
static (inside,outside) 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255
instead of:
static (inside,outside) 75.149.66.203 80 192.168.1.42 netmask 255.255.255.255
Why do you mention I need another static?
static (inside,outside) 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255
instead of:
static (inside,outside) 75.149.66.203 80 192.168.1.42 netmask 255.255.255.255
Why do you mention I need another static?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yup thts right!!
after posting, I see that others have already commented...
I understood what you meant by reverse proxy, was that you want outbound traffic to appear on a specific address. On reading the extra that you have added, I think you might just want another static NAT...
I understood what you meant by reverse proxy, was that you want outbound traffic to appear on a specific address. On reading the extra that you have added, I think you might just want another static NAT...
ASKER
ArneLovius, do the commands you posted do the exact same thing the commands ullas_unni posted? Meaning I can run either to get the same results.
Thanks again -
Thanks again -
ASKER
Sorry, last question - does this command need the "tcp" in front of the external IP:
static (inside,outside) 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255
I.E.
static (inside,outside) tcp 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255
static (inside,outside) 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255
I.E.
static (inside,outside) tcp 75.149.66.205 80 192.168.1.40 netmask 255.255.255.255
not necessary.. but may i know what port will it be using??
ASKER
Not sure on the port, but that is simply indicating the right port on these commands, right?
static (inside,outside) 75.149.66.205 <port> 192.168.1.40 <port> netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port>
static (inside,outside) 75.149.66.205 <port> 192.168.1.40 <port> netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port>
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port no> *
* you dint mention the port it uses??
* you dint mention the port it uses??
ok so this is how it works if you have static (inside,outside) tcp ... then you need to mention the ports otherwise if you have static(inside,outside) without the tcp then it takes for all ports.. basically ip...
so either you can mention the port on the access-list or the static.
static (inside,outside) tcp 75.149.66.205 192.168.1.40 netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq
so either you can mention the port on the access-list or the static.
static (inside,outside) tcp 75.149.66.205 192.168.1.40 netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq
ignore the extra 3 <port> after the accesslist.. it was a typo...
yes it is functionally the same, but with a layer of abstraction, which can help make it clearer (or make it worse depending on your view)
ok if you know the ports this should be it:
static (inside,outside) tcp 75.149.66.205 <port> 192.168.1.40 <port> netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port>
if you dont know the ports:
static (inside,outside) 75.149.66.205 192.168.1.40 netmask 255.255.255.255
access-list outside-access-in extended permit ip any host 75.149.66.205
knowing the ports makes it more secure since you only open the required ports and block communications in any other ports for that ip
static (inside,outside) tcp 75.149.66.205 <port> 192.168.1.40 <port> netmask 255.255.255.255
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq <port>
if you dont know the ports:
static (inside,outside) 75.149.66.205 192.168.1.40 netmask 255.255.255.255
access-list outside-access-in extended permit ip any host 75.149.66.205
knowing the ports makes it more secure since you only open the required ports and block communications in any other ports for that ip
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot.
ASKER
Regarding the reverse proxy. If I understand correctly, Reverse Proxy on an ASA is just another NAT rule, correct? The jist of Reverse Proxy is to just proxy in-bound traffic (traffic from the outside to an internal IP (or Server), correct?
Basically, I am setting up a Test Office Communications Server. Recommended way is to use ISA to handle the proxy, but I want to just do it on the ASA for the time being.
Open in new window