cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1448
Views
5
Helpful
25
Replies

www server behind ASA 5505

altziebler
Level 1
Level 1

Hello Community,

I have a ASA 5505 with default setup, 2 VLANs. On the inside I have a DNS, IIS, SQL server. I am desperate for some help to get the www server accessible from the public. I am not using a DMZ. Got tips for me? Many thanks in advance. - Jurgen

25 Replies 25

acomiskey
Level 10
Level 10

Without any other details, this is one way to do it, if webserver is 192.168.1.10...

static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

Hi, thanks for your help.

Outside I have a static IP. Inside www server is at 192.168.1.35 (your guess was close).

I set DHCP server starting at 192.168.1.100

To make it work I would changes settings in NAT?

In that case if your static ip is 1.1.1.1 and server is 192.168.1.35 then...

static (inside,outside) tcp 1.1.1.1 80 192.168.1.35 80 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 80

access-group outside_access_in in interface outside

or

static (inside,outside) 1.1.1.1 192.168.1.35 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 80

access-group outside_access_in in interface outside

Is that what you were asking?

one more, first I wasn't able to get online behind the firewall. I had to go into 'Routing' and add a new entry in 'static routing'

Interface: outside

IP 0.0.0.0

Mask 0.0.0.0

Gateway IP - ISP Gateway IP

Metric 1

Yes, that defines your defaut gateway.

route outside 0.0.0.0 0.0.0.0 isp.gateway.ip

Please rate helpful posts.

Is there a document somwhere that describes the steps a bit more in detail? Like what to do in NAT and Security Policy. The manual that came with the ASA describes setting up a DMZ, etc.

I added a new access rule in "Security Policy" under Outside. source: any, destination 192.168.1.35, services: http, action: permit. Under NAT a new Outside. type: static, Source: ISP IP http, Destination: any, interface: inside, address: 192.168.1.35 http, DNS rewrite NO.

no luck so far. oje

Destination would not be 192.168.1.35. It would be the public ip address you are using.

If you can post the config, I'll be able to show you what it should look like.

my pleasure!

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password PASSWORDXYZ encrypted

names

name 192.168.1.20 SERVER1 description DNS

name 192.168.1.35 SERVER2 description IIS

name 192.168.1.40 SERVER3 description SQL

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 70.x.x.246 255.255.255.224

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp SERVER2 www 70.164.46.224 www netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 70.164.46.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns SERVER1 192.168.1.22 interface inside

dhcpd domain alt74.local interface inside

dhcpd enable inside

!

dhcpd dns 68.x.x.30 68.10.16.30 interface outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Ok, you're missing the access list. It should be...

access-list outside_access_in extended permit tcp any host 70.164.46.224 eq www

access-group outside_access_in in interface outside

ok, great. I am getting closer! :)

I can do that via ASDM in the Security Policy settings? or can I do via command line in some way?

sorry, but I have a hard time adding

the access list in Security Policy settings.

Can you give me a hint? Thanks!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: