cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
741
Views
5
Helpful
5
Replies

Publishing a web server

westcare
Level 1
Level 1

Hello, I'm fairly new to the ASA's and have setup P2P vpn's and client VPN's on our 5520. I'm now needing to move existing web servers from another box over to the ASA.

I'm thinking I'll just need to make a static NAT rule from inside to outside and add the access rules for each outside address on the outside interface incoming. Does this sound right or am i missing something? Also concerned that adding acl's to the outside interface incoming may affect existing VPN's although the checkbox that states "Enable inbound IPSec sessions to bypass interface access lists." is checked. Any suggestions/tips is appreciated.

Jeff

1 Accepted Solution

Accepted Solutions

Yes, just put 80 as an example...

View solution in original post

5 Replies 5

acomiskey
Level 10
Level 10

You are correct. No need to worry about vpn's and your interface acl's when you have sysopt connection permit-ipsec in place.

static (inside,outside) netmask 255.255.255.255

access-list extended permit tcp any host eq 80

access-group in interface outside

Great, thanks for the quick reply...i'm assuming if the sites are https:// that i would just need to add another line with "eq443" to allow this and if they were Citrix servers to just allow those ports as well with the same sort of NAT lines.

Thanks again,

Jeff

Yes, just put 80 as an example...

acharyr123
Level 3
Level 3

Hello Jeff,

The config that you did & were suggested by other guys are correct. It will work fine. Only you should take care of security part as users will be coming from untrusted zone to your inside segment. You need to specify only the required ports say 80, 8080, 443, 25, 53 (both tcp & udp) etc based upon your requirement. If your inside server is a web server as well as ftp server, then you also can configure that users coming from outside will see different ip for Web server & different for ftp server. but both the resources will be on the same server only.

Say i want to come to access your webs erver from outside, i will access 220.231.1.12X to access web server application & for ftp:220.231.1.12Y. in this way you can strengtheen ur security as well. carefull to open any port. stop trojans, worms etc if you have AIP-SSM or CSC-SSM in that ASA 5520.

Thanks,

Partha

Good point! Most of the outside facing servers are webservers and citrix servers, so there is definately a limited port list for each of them. I had not thought of the multiple ip's for each service though. That's something i'm going to look into doing on the few multiple-use servers that sit on the outside. Thanks again for all the quick help.

Jeff

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: