Simple ASA 5510 NAT Question

Right now we have an internal server that is accessed through a Proxy Server.

The proxy server has 2 network cards.  1 of them has an external IP address of 12.xxx.xxx.xxx that we own and is attached directly to our outside switch.  The other network card has an internal address of 150.50.1.82 and it forwards traffic requests from the outside world onto another server with an address of 150.50.1.80.  This connection uses Port 443 (HTTPS)

We are looking to remove this proxy server from the setup and just utilize NAT with our ASA 5510 firewall instead.

So I did the following

---Create Static Nat Rule

object network obj-150.50.1.80
  nat (INSIDE, OUTSIDE) static 12.xxx.xxx.xxx

---Create ACL Rules

access-list INSIDE_access_out extended permit tcp host 12.xxx.xxx.xxx any eq https
access-list OUTSIDE_access_in extended permit tcp any host 150.50.1.80 eq https

I assumed that this would take care of so I unplugged the ethernet cable from the outside switch coming from the proxy server and waited for the traffic to start switching over to the ASA but this never happened.  I waited for about an hour and it never started working so I eventually had to the plug the proxy back in.

Is there something else that I am missing here?  I thought that was all that was needed.
gedruspaxAsked:
Who is Participating?
 
fgasimzadeCommented:
access-list INSIDE_access_out extended permit tcp host 12.xxx.xxx.xxx any eq https

change it to

access-list INSIDE_access_out extended permit tcp host 150.50.1.80  any eq https
0
 
xDUCKxCommented:
Where are you defining where the ACL's are applied?  Normally it's something like:

nat(inside,outside) static 12.xxx.xxx.xxx INSIDE_Access_out <Access-List2 Access-List3 etc>

Open in new window

0
 
gedruspaxAuthor Commented:
After my NAT statements in the config I have

access-group INSIDE_access_out in interface INSIDE_INF
access-group INSIDE_INF_access_out out interface INSIDE_INF
access-group OUTSIDE_access_in in interface OUTSIDE
access-group OUTSIDE_access_out out interface OUTSIDE

is that was you are talking about?

Keep in mind this is ASA 8.4 with the revised NAT syntax
0
 
gedruspaxAuthor Commented:
Also I have some other NAT rules in place that are working.

I have one for example that translates a public IP to the internal IP of our exchange server so we can use the front end for Ipads and Iphones.  And it is setup the same way and working.

object network obj-150.50.1.18
 nat (INSIDE,OUTSIDE) static 12.xxx.xxx.xxx

access-list DMZ_access_in extended permit tcp any host 150.50.1.18 eq https
access-list DMZ_access_in extended permit tcp any host 150.50.1.18 eq smtp
access-list DMZ_access_in extended permit tcp any host 150.50.1.18 eq pop3
access-list DMZ_access_in extended permit tcp any host 150.50.1.18 eq http
0
 
gedruspaxAuthor Commented:
I will try changing the access rule and see if that works.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.