Solved

Asa5505 to route port 443 to 2 different IP's

Posted on 2013-10-23
4
339 Views
Last Modified: 2013-10-27
Hi experts

I have a client with:
-  only one IP address  
- an ASA5505 in front
- 2 webservers on the inside

I need to direct all https / port 443 traffic to webserver #1, unless the traffice comes from a specific IP, then it needs to go to webserver #2.

using a different port for server02 is not an option. Is this possible?

I tried this but it directs everyting to #1 stil..:
static (inside,outside) tcp x.x.x.x https webserver2 https netmask 255.255.255.255
static (inside,outside) tcp interface https webserver1 https netmask 255.255.255.255
0
Comment
Question by:Sander123
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 450 total points
ID: 39595654
and this?

object network webserver1
 host x.x.x.x

object network webserver2
 host x.x.x.x

object network special_ip
 host x.x.x.x

object service nat-https
 service tcp destination eq 443

nat (outside,inside) source static special_ip special_ip destination static interface webserver2 service nat-https nat-https unidirectional no-proxy-arp
nat (outside,inside) source static any any destination static interface webserver1 service nat-https nat-https unidirectional no-proxy-arp

access-list outside_access_in extended permit object nat-https object special_ip object webserver2
access-list outside_access_in extended permit object nat-https any object webserver1

I am doing this from head so if there is a syntax error please let me know!

P.S. You will need the ASA 9.x version to do this properly!
0
 

Author Comment

by:Sander123
ID: 39596682
Hi Henkva

txs, I prob should have mentioned this ASA is on fw 7.2(4) .
I could try and upgrade to fw 9 but i'd rather have some other solution since the device is one of the older models so i don't know if it can handle fw 9..
Also it's on the other side of the country so if i can avoid spending 6 hours in the car i'd rather do that ;)

Is there no way to do this with firmware 7.2?

Thanks
0
 
LVL 2

Assisted Solution

by:mannyfernandez
mannyfernandez earned 50 total points
ID: 39596824
Sander23,

Sadly, I do not think there is  way to do this with the legacy code.  Although the 9 train is preferred though, you CAN do it on 8.3 and above.

Manny
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39596838
You will need 512MB RAM to run 8.3 though.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question