0

I have an ASA 5505 with outside network of public ips 95.123.234.64/26 and inside network of private ips 10.22.33.0/24. I would like to redirect any tcp traffic that hits 95.123.234.67:80 to a public ip 78.123.234.56:22. I don't know if it's important but 78.123.234.56 is not managed by the ASA. Can this be achieved with the ASA 5505?

James
  • 325
  • 2
  • 11
  • 22

2 Answers2

0

What you would like to do is called hair pinning and usually it is done on your internal facing interface but there is no reason you can not do it on your outside interface, though as javano mentioned it can cause a little confusion on the Internet. But it will not break anything, this is different than if you wanted to NAT an IP address that you do not control to one that you do control.

To hairpin on a 5505 you first have to permit same interface traffic:

same-security-traffic permit intra-interface

Then you have to update your nat tables:

static (outside,outside) tcp 95.123.234.67 80 78.123.234.56 22 netmask 255.255.255.255

You may have to update your outside interface access-list but that should take care of the outside traffic.

Depending on the OS version of the ASA the commands will be a little different but it is doable.

bluedogs
  • 426
  • 3
  • 4
-1

No it can't. You could forward the port to an internal host and then using an internal web server deliver a HTTP 302 redirect.

(Side note, imagine the security implications if people started port forward incoming connections to to remote IPs not on their network?)

jwbensley
  • 4,202
  • 11
  • 58
  • 90
  • would a 302 redirect work? I would like it to be handling all tcp data rather than http. The reason for using port 80 is to avoid making firewall changes to allow, for example, ssh connections. I looked at trying to use nginx for this to no avail. So far the only suggestion I've had is to set up a program called HAProxy, just seems a bit overkill for my needs. – James Apr 09 '13 at 19:22
  • Sorry I assume since you mentioned port 80 you meant HTTP. Its generally bad practice to run protocols on non standard ports like this as it makes troubleshooting more difficult, but each to their own, just be weary. Yes I guess you could set up HAProxy and use that remote public IP as a back end server within the config. Good luck! – jwbensley Apr 10 '13 at 12:47