ASA5505 Question

Unanswered Question
May 15th, 2007
User Badges:

New to the ASA series. I am installing a 5505 later today. Company has two buildings connected via fiber. ASA will go behind the router and into a switch connecting the two.


Main goal is to protect an iSeries webserver on their internal network. Inside interface is configured with internal network of 172.20.x.x. Outside with static from ISP, 209.143.x.x.


Being new to this, I'm assuming I need an access rule to allow traffic from the WAN to the iSeries box. My current rule is set up like this.


outside, incoming, permit, any (0.0.0.0) to 172.20.x.x (IP of iSeries). Protocol is TCP, service on source = any, service on destination = http/www.


My question is, is this correct? Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hoogen_82 Tue, 05/15/2007 - 06:03
User Badges:
  • Silver, 250 points or more

For permiting traffic from outside to inside you need two things one is your access-list statement and your nat statement.


Ideally i guess you should be looking at port forwarding.


So your statements could be.


access-list outside_inside extended permit tcp any host 209.143.x.x eq www


and you nat statement would be


nat(inside,outside) tcp interface www 172.20.x.x www netmask 255.255.255.255


Assuming your interface ip is 209.143.x.x.


HTH

Hoogen


Do rate if you find this post useful :)

acomiskey Tue, 05/15/2007 - 06:07
User Badges:
  • Green, 3000 points or more

Depending upon what the outside address of the server is you will have something like this...


static (inside,outside) 209.143.x.x 172.20.x.x netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 209.143.x.x eq www

access-group outside_access_in in interface outside


or if the outside address of the server is the same as the outside interface of the ASA you can do...


static (inside,outside) interface 172.20.x.x netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 209.143.x.x eq www

access-group outside_access_in in interface outside


or if you just want to port forward port 80...


static (inside,outside) tcp interface www 172.20.x.x www netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 209.143.x.x eq www

access-group outside_access_in in interface outside

Actions

This Discussion