asa 5510 multiple web servers

Unanswered Question
Jul 8th, 2008

ciscoasa(config)# sh run

: Saved


ASA Version 8.0(2)


hostname ciscoasa

enable password xxx



interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.17


interface Ethernet0/1

nameif inside

security-level 100

ip address 172.x.x.1


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

ftp mode passive

clock timezone mst -6

access-list split_tunnel_list standard permit

access-list inside_nat0_outbound extended permit ip

access-list ping_reply extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnuserspool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group ping_reply in interface outside

route outside x.x.x.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http management

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set firstset esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set transform-set firstset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh inside

ssh inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd address inside

dhcpd dns dns1 dns2 interface inside

dhcpd enable inside


dhcpd address management

dhcpd enable management


threat-detection basic-threat

threat-detection statistics access-list


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
support.edm Tue, 07/08/2008 - 09:31

service-policy global_policy global

ntp server source outside

group-policy vpnuserspolicy internal

group-policy vpnuserspolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value vpnuserspool

username admin password xxx encrypted privilege 15

username admin attributes

vpn-group-policy vpnuserspolicy

tunnel-group vpnusersgroup type remote-access

tunnel-group vpnusersgroup general-attributes

default-group-policy vpnuserspolicy

tunnel-group vpnusersgroup ipsec-attributes

pre-shared-key *

prompt hostname context


: end


support.edm Tue, 07/08/2008 - 09:33

I have a w2k3 server on the LAN that has 2 web sites running on it. Web1 is bound to and Web2 is bound to The outside interface of the ASA is on the x.x.x.16/28 network. The inside is on

I did the following:

static (inside,outside) tcp interface 80 80 netmask

access-list web1_access permit tcp any host x.x.x.17 eq 80

access-group web1_access in interface outside

I could browse to web1 using http://x.x.x.17 which gets redirected to web server.

How do I go about being able to browse to web2 from the internet using http://x.x.x.18 to point to web server while at the same time retaining the ability to browse to web1?

support.edm Tue, 07/08/2008 - 13:15

We get .17 to .29

.16 network id

.30 broadcast address (/28)

a.alekseev Tue, 07/08/2008 - 12:57

you should have two static

one for

another for

if you have single ip you can use different ports

static (inside,outside) tcp interface 80 80 netmask

static (inside,outside) tcp interface 81 80 netmask

P.S. rate a post if it was useful

support.edm Tue, 07/08/2008 - 13:16

"static (inside,outside) tcp interface 81 80 netmask "

Does that mean ppl on the internet have to put in "http://x.x.x.17:81" in their browser to access web2 server?????

support.edm Tue, 07/08/2008 - 13:39

as i've indicated we are allocated public internet address of .17 to .29 by the ISP.

I want .17 to point to the web server and .18 to point to the web server.

husycisco Tue, 07/08/2008 - 13:42

If it is feasible for you on usage/utilization and resource basis, you also can migrate the web service from server 2 to server 1, then configure host headers to run 2 different web services behind 1 public IP.


husycisco Tue, 07/08/2008 - 13:45

"I want .17 to point to the web server and .18 to point to the web server"

Then all you have to do is creating another static statement,

static (inside,outside) tcp x.x.x.18 80 80 netmask

access-list web1_access permit tcp any host x.x.x.18 eq 80


support.edm Thu, 07/10/2008 - 10:44

I did this:

access-list inbound_on_outside extended permit tcp any host x.x.x.17 eq www

access-list inbound_on_outside extended permit tcp any host x.x.x.18 eq www

access-list inbound_on_outside extended permit tcp any host x.x.x.19 eq www

static (inside,outside) tcp interface www www netmask

static (inside,outside) tcp x.x.x.18 www www netmask

static (inside,outside) tcp x.x.x.19 www www netmask

access-group inbound_on_outside in interface outside

Works fine for 3 test websites.

Curious...any reason why

"static (inside,outside) tcp interface www www netmask"

can't be

"static (inside,outside) tcp x.x.x.17 www www netmask"

to keep things consistent?

husycisco Thu, 07/10/2008 - 13:27

This is actually for "securing" the Ip address of interfaces which are crutial for overall routing processes from misuse. It is easy to get confused and create a one to one static for the outside IP address which will halt the the overall operation. You supposed to be careful when you use an "interface" statement rather than the IP address. But I have seen a very few configurations which actually operates without interface command.


This Discussion