Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2115
Views
5
Helpful
4
Replies

Accessing webserver behind an ASA 5505 (newbie)

Go to solution
kcaporaso
Level 1
Level 1

‎09-13-2007 12:15 PM - edited ‎03-11-2019 04:10 AM

Hi,

I have not been able to figure out how to setup PAT/ACLs or anything else to get an outside web browser to hit my webserver.

Setup:

cable modem -> ASA 5505 -> PC

-> webserver

I'd like everyone on the outside to be able to hit the webserver. I've tried all kinds of different security policies with no luck.

I must not understand the policies and NAT/PAT stuff very well.

Coming from an old Linksys router you told it what port to watch for and then forward it to a host on the inside. The ASA seems MUCH more complicated than that...

Public IP: 1.1.1.1

Inside IP: 192.168.1.1

Look for the general rules that set this access up. I'll try to use the CLI if you can show the actual commands, otherwise I'm fumbling around in the GUI.

Any help would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎09-13-2007 12:17 PM

It's more complicated for good reason.

In it's simplest form, these commands will do the trick.

static (inside,outside) interface netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

This is if you are using the outside interface ip of your ASA to access the webserver.

You can also do this which would allow you to use the outside interface ip for other services to other servers...

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

View solution in original post

4 Replies 4

Go to solution
acomiskey
Level 10
Level 10

‎09-13-2007 12:17 PM

It's more complicated for good reason.

In it's simplest form, these commands will do the trick.

static (inside,outside) interface netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

This is if you are using the outside interface ip of your ASA to access the webserver.

You can also do this which would allow you to use the outside interface ip for other services to other servers...

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

Go to solution
kcaporaso
Level 1
Level 1
In response to acomiskey

‎09-13-2007 12:26 PM

Thank you!

I see where I went wrong... I was setting the source port to 80.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-13-2007 12:20 PM

Hi

What is the private IP address of the web server and what is the public IP address you want to present it as eg.

if private IP = 192.168.5.1

public IP = 217.22.1.10

then config would be

static (inside,outside) 217.22.1.10 192.168.5.1 netmask 255.255.255.255

access-list acl_inbound permit tcp any host 217.22.1.10 eq 80

access-group acl_inbound in interface outside

HTH

Jon

0 Helpful

Go to solution
hsajwan
Level 1
Level 1

‎09-13-2007 12:29 PM

Here are the commands:

static (inside,outside) 1.1.1.1 192.168.1.1

access-list aclout permit tcp any host 1.1.1.1 eq 80

access-group aclout in interface outside

In case 1.1.1.1 is the IP address of the outside interface of ASA, then here are the commands:

static (inside,outside) tcp interface 80 192.168.1.1 80

access-list aclout permit tcp any interface outside eq 80

access-group aclout in interface outside

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card