Publishing a web server

Answered Question
Mar 27th, 2007
User Badges:

Hello, I'm fairly new to the ASA's and have setup P2P vpn's and client VPN's on our 5520. I'm now needing to move existing web servers from another box over to the ASA.


I'm thinking I'll just need to make a static NAT rule from inside to outside and add the access rules for each outside address on the outside interface incoming. Does this sound right or am i missing something? Also concerned that adding acl's to the outside interface incoming may affect existing VPN's although the checkbox that states "Enable inbound IPSec sessions to bypass interface access lists." is checked. Any suggestions/tips is appreciated.


Jeff

Correct Answer by acomiskey about 10 years 3 months ago

Yes, just put 80 as an example...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Tue, 03/27/2007 - 11:09
User Badges:
  • Green, 3000 points or more

You are correct. No need to worry about vpn's and your interface acl's when you have sysopt connection permit-ipsec in place.


static (inside,outside) netmask 255.255.255.255

access-list extended permit tcp any host eq 80

access-group in interface outside

westcare Tue, 03/27/2007 - 13:08
User Badges:

Great, thanks for the quick reply...i'm assuming if the sites are https:// that i would just need to add another line with "eq443" to allow this and if they were Citrix servers to just allow those ports as well with the same sort of NAT lines.


Thanks again,

Jeff

Correct Answer
acomiskey Tue, 03/27/2007 - 13:28
User Badges:
  • Green, 3000 points or more

Yes, just put 80 as an example...

acharyr123 Tue, 03/27/2007 - 23:24
User Badges:

Hello Jeff,


The config that you did & were suggested by other guys are correct. It will work fine. Only you should take care of security part as users will be coming from untrusted zone to your inside segment. You need to specify only the required ports say 80, 8080, 443, 25, 53 (both tcp & udp) etc based upon your requirement. If your inside server is a web server as well as ftp server, then you also can configure that users coming from outside will see different ip for Web server & different for ftp server. but both the resources will be on the same server only.


Say i want to come to access your webs erver from outside, i will access 220.231.1.12X to access web server application & for ftp:220.231.1.12Y. in this way you can strengtheen ur security as well. carefull to open any port. stop trojans, worms etc if you have AIP-SSM or CSC-SSM in that ASA 5520.


Thanks,


Partha

westcare Wed, 03/28/2007 - 07:40
User Badges:

Good point! Most of the outside facing servers are webservers and citrix servers, so there is definately a limited port list for each of them. I had not thought of the multiple ip's for each service though. That's something i'm going to look into doing on the few multiple-use servers that sit on the outside. Thanks again for all the quick help.


Jeff

Actions

This Discussion