Accessing webserver behind an ASA 5505 (newbie)

Answered Question
Sep 13th, 2007
User Badges:

Hi,

I have not been able to figure out how to setup PAT/ACLs or anything else to get an outside web browser to hit my webserver.


Setup:


cable modem -> ASA 5505 -> PC

-> webserver


I'd like everyone on the outside to be able to hit the webserver. I've tried all kinds of different security policies with no luck.


I must not understand the policies and NAT/PAT stuff very well.


Coming from an old Linksys router you told it what port to watch for and then forward it to a host on the inside. The ASA seems MUCH more complicated than that...


Public IP: 1.1.1.1

Inside IP: 192.168.1.1


Look for the general rules that set this access up. I'll try to use the CLI if you can show the actual commands, otherwise I'm fumbling around in the GUI.


Any help would be appreciated.

Correct Answer by acomiskey about 9 years 10 months ago

It's more complicated for good reason.


In it's simplest form, these commands will do the trick.


static (inside,outside) interface netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside


This is if you are using the outside interface ip of your ASA to access the webserver.


You can also do this which would allow you to use the outside interface ip for other services to other servers...


static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
acomiskey Thu, 09/13/2007 - 12:17
User Badges:
  • Green, 3000 points or more

It's more complicated for good reason.


In it's simplest form, these commands will do the trick.


static (inside,outside) interface netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside


This is if you are using the outside interface ip of your ASA to access the webserver.


You can also do this which would allow you to use the outside interface ip for other services to other servers...


static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

kcaporaso Thu, 09/13/2007 - 12:26
User Badges:

Thank you!


I see where I went wrong... I was setting the source port to 80.

Jon Marshall Thu, 09/13/2007 - 12:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


What is the private IP address of the web server and what is the public IP address you want to present it as eg.


if private IP = 192.168.5.1

public IP = 217.22.1.10


then config would be


static (inside,outside) 217.22.1.10 192.168.5.1 netmask 255.255.255.255


access-list acl_inbound permit tcp any host 217.22.1.10 eq 80


access-group acl_inbound in interface outside


HTH


Jon

hsajwan Thu, 09/13/2007 - 12:29
User Badges:

Here are the commands:


static (inside,outside) 1.1.1.1 192.168.1.1


access-list aclout permit tcp any host 1.1.1.1 eq 80


access-group aclout in interface outside



In case 1.1.1.1 is the IP address of the outside interface of ASA, then here are the commands:


static (inside,outside) tcp interface 80 192.168.1.1 80


access-list aclout permit tcp any interface outside eq 80


access-group aclout in interface outside




Actions

This Discussion