ASA as Firewall

Answered Question
Apr 8th, 2010

We have an ASA that we use as a VPN and firewall.  There is no router between the ASA and internal networks.  The internet goes through the ASA. We have a web server with the internal IP address 192.168.100.5.   What do we need to setup on the ASA so that the outside world can access our web server 192.168.100.5?  At the same time, we also want to protect the web server from hackers.  Attached is the config.


Please let me know if you need additional information.  Thanks.


Debra

Attachment: 
Correct Answer by Jennifer Halim about 6 years 10 months ago

Seems like what you are trying to do is as follows:


User browses to web server --> web server retrieves data from sql server --> web server display result for user


If the above is what you are trying to achieve, then you only need to allow TCP/80 connection to web server.

While web server retrieves data from sql server, they would communicate internally, so the sql server will post the data retrieval to the web server, and web server will display the result for user. There is no need for direct access from user towards the sql server.

Correct Answer by Jennifer Halim about 6 years 10 months ago

Need to configure access-list to allow the HTTP inbound connection to the web server public ip address.


Currently ACL 101 is applied to the outside interface, so here is what you need to add:


access-list 101 permit tcp any host 66.27.45.84 eq 80


Hope that helps

Correct Answer by Federico Coto F... about 6 years 10 months ago

Hi,


This is the public IP of your web server:  66.27.45.84

This is what you're missing:


access-list 101 permit tcp any host 66.27.45.84 eq www


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Federico Coto F... Thu, 04/08/2010 - 20:41

Hi,


This is the public IP of your web server:  66.27.45.84

This is what you're missing:


access-list 101 permit tcp any host 66.27.45.84 eq www


Federico.

Correct Answer
Jennifer Halim Thu, 04/08/2010 - 21:01

Need to configure access-list to allow the HTTP inbound connection to the web server public ip address.


Currently ACL 101 is applied to the outside interface, so here is what you need to add:


access-list 101 permit tcp any host 66.27.45.84 eq 80


Hope that helps

debra-brown Wed, 04/14/2010 - 14:43

Thanks both of you for your prompt response and information.  Sorry for the late reply.  I was looking for this post.


May I ask you another question?  This web server is also connected to the SQL server (NATTED public IP address 66.27.45.81).  What do I need to do so that the outside users can also access this SQL server via the web server?  Please let me know if you need additional info. Thanks.

Jennifer Halim Wed, 04/14/2010 - 14:49

Can you please elaborate on what do you mean by "the outside users can also access this SQL server via the web server"?


Do you mean, you would like the outside users to directly access the SQL server on TCP/80 (www), ie: the SQL server is also listening on port 80?

debra-brown Wed, 04/14/2010 - 18:41

Halijenn,


Thanks for your question.  That is correct.  I want the SQL server to listen to port 80.  For example, when I click on one of the links on Cisco.com, Cisco web site would connect to the my SQL database in the background.  Then, I see the list of data displayed on my screen.  The web server and the SQL server are on two servers.  I am running Microsoft SQL 2005.  Besides having the SQL database available for outside users, I also want to protect this server from hackers.


Please let me know if my explanation is still not clear.  Thanks.


Debra

Correct Answer
Jennifer Halim Wed, 04/14/2010 - 19:30

Seems like what you are trying to do is as follows:


User browses to web server --> web server retrieves data from sql server --> web server display result for user


If the above is what you are trying to achieve, then you only need to allow TCP/80 connection to web server.

While web server retrieves data from sql server, they would communicate internally, so the sql server will post the data retrieval to the web server, and web server will display the result for user. There is no need for direct access from user towards the sql server.

debra-brown Thu, 04/15/2010 - 19:41

Halijenn,


Thanks for your prompt response.   That is exactly what my question was.  You explained it better than I could.  So, you don't need to put any ACL's on the SQL server in this case.


May I ask you another question?  If I have another web server, do I use a different ACL's statement?  For example, if my web server's IP address is 66.27.45.85.  My ACL statement would be:


access-list 102 permit tcp any host 66.27.45.85 eq 80


Thanks.


Debra

Actions

This Discussion