ASA help needed - Packet Life

Forums > General Discussion > ASA help needed

demikid 6 posts	28 May 2010 at 3:14 p.m. UTC Hi All! Thanks guys for this very educative site. I have a question about ASA 5505.Is it possible to publish Outlook Web Access and other Web access services such that, an external user can point to different urls e.g http://mydomain/mail , http://mydomain/xxx , http://mydomain/yyy and will be directed to the respective services. How do i get about this? Url inspection perhaps? Help please.
laith43d 109 posts	28 May 2010 at 5:34 p.m. UTC No URL inspection, just basic destination nat, when you access services online you only refer to the URL while you are making DNS look-up, after DNS return the IP address to you, you start using that IP address to access the same resource online. DOCs: Cisco ASA configuration guides: http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html
joshlowe 94 posts	28 May 2010 at 6:45 p.m. UTC I think demikid is referring to the URL contained in the HTTP GET request. While it's true that when you type a URL into your browser it is translated to an IP address so that the server can be located, the original URL is still sent at Layer 7 in the HTTP request message. Unfortunately I don't think an ASA has the capability to route based on the HTTP host header. I generally use Microsoft ISA server (now called Forefront TMG) to accomplish this. That being said, you can have a single web server host multiple sites and have the web server do the redirecting for you. For example, if someone visits your site at www.somesite.com, the ASA would direct this to the (only) web server. The web server would then check the value of the HTTP request and send back the appropriate site. Then if someone accesses www.anothersite.com, the same web server would send back a different site based on that URL. The ASA simply sends all HTTP requests to the same server and lets the server figure out which site was requested. This can be done in both IIS and apache. I can't remember how to set it up in apache, but in IIS you simply edit the host bindings to include the URL. I've attached a screenshot showing where this is done in IIS 7. Of course, if you have multiple sites on multiple servers, this won't work for you. You either have to consolidate them to a single server, or come up with a different solution. Hope that helps, Josh File Attachments example.png
laith43d 109 posts	29 May 2010 at 5:30 a.m. UTC In Apache it is called virtual host, and that is exactly what I referred to, you redirect traffic to single server and the server figure out what service is requested. if you need multiple services with single domain, on multiple servers behind ASA, I think there is a method to accomplish that, but I am not sure what its name, I will further check, if I find anything I will post it here to you again. If you want to separate service based on port number, it is very easy, as the access list which the nat depends on, will specify the port. Cheers,
demikid 6 posts	29 May 2010 at 8:00 p.m. UTC My site has multiple web servers and one public IP which makes the scenario more complex.I was using an ISA for all my firewall services and publishing and was looking forward to throw it out and bring in the ASA.
dantel 36 posts	30 May 2010 at 2:58 a.m. UTC Is this for public users or employees? have you investigated the clientless SSL capabilities of the ASA? If you are looking to publish sites like webmail (in the original post) for employees, this feature might be right for that.
laith43d 109 posts	31 May 2010 at 7:17 a.m. UTC Could you please give a graphical demonstration, and some detailed descriptions, so we understand exactly your scenario. Thanks
demikid 6 posts	31 May 2010 at 9:34 a.m. UTC Its still my early days working with an ASA but the SSL VPNs (WebVPN) bit looks promising.I looked at it yesterday,will lab on it this week and report back.Thanks dantel and all of you guys.

Viewing 1 - 8 of 8

File Attachments