11-06-2007 09:38 AM - edited 02-21-2020 01:46 AM
Hello Community,
I have a ASA 5505 with default setup, 2 VLANs. On the inside I have a DNS, IIS, SQL server. I am desperate for some help to get the www server accessible from the public. I am not using a DMZ. Got tips for me? Many thanks in advance. - Jurgen
11-06-2007 09:52 AM
Without any other details, this is one way to do it, if webserver is 192.168.1.10...
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
11-06-2007 10:01 AM
Hi, thanks for your help.
Outside I have a static IP. Inside www server is at 192.168.1.35 (your guess was close).
I set DHCP server starting at 192.168.1.100
To make it work I would changes settings in NAT?
11-06-2007 10:06 AM
In that case if your static ip is 1.1.1.1 and server is 192.168.1.35 then...
static (inside,outside) tcp 1.1.1.1 80 192.168.1.35 80 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 80
access-group outside_access_in in interface outside
or
static (inside,outside) 1.1.1.1 192.168.1.35 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 80
access-group outside_access_in in interface outside
Is that what you were asking?
11-06-2007 10:08 AM
one more, first I wasn't able to get online behind the firewall. I had to go into 'Routing' and add a new entry in 'static routing'
Interface: outside
IP 0.0.0.0
Mask 0.0.0.0
Gateway IP - ISP Gateway IP
Metric 1
11-06-2007 10:11 AM
Yes, that defines your defaut gateway.
route outside 0.0.0.0 0.0.0.0 isp.gateway.ip
Please rate helpful posts.
11-06-2007 10:25 AM
Is there a document somwhere that describes the steps a bit more in detail? Like what to do in NAT and Security Policy. The manual that came with the ASA describes setting up a DMZ, etc.
11-06-2007 10:28 AM
11-06-2007 10:50 AM
this one looks promising but its command line stuff. Uff.
11-06-2007 01:14 PM
I added a new access rule in "Security Policy" under Outside. source: any, destination 192.168.1.35, services: http, action: permit. Under NAT a new Outside. type: static, Source: ISP IP http, Destination: any, interface: inside, address: 192.168.1.35 http, DNS rewrite NO.
no luck so far. oje
11-06-2007 01:16 PM
Destination would not be 192.168.1.35. It would be the public ip address you are using.
If you can post the config, I'll be able to show you what it should look like.
11-06-2007 01:27 PM
my pleasure!
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password PASSWORDXYZ encrypted
names
name 192.168.1.20 SERVER1 description DNS
name 192.168.1.35 SERVER2 description IIS
name 192.168.1.40 SERVER3 description SQL
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.x.x.246 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) tcp SERVER2 www 70.164.46.224 www netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 70.164.46.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns SERVER1 192.168.1.22 interface inside
dhcpd domain alt74.local interface inside
dhcpd enable inside
!
dhcpd dns 68.x.x.30 68.10.16.30 interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
11-06-2007 02:38 PM
Ok, you're missing the access list. It should be...
access-list outside_access_in extended permit tcp any host 70.164.46.224 eq www
access-group outside_access_in in interface outside
11-06-2007 03:53 PM
ok, great. I am getting closer! :)
I can do that via ASDM in the Security Policy settings? or can I do via command line in some way?
11-07-2007 10:18 AM
sorry, but I have a hard time adding
the access list in Security Policy settings.
Can you give me a hint? Thanks!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: