cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
618
Views
0
Helpful
8
Replies

ASA as Firewall

debra-brown
Level 1
Level 1

We have an ASA that we use as a VPN and firewall.  There is no router between the ASA and internal networks.  The internet goes through the ASA. We have a web server with the internal IP address 192.168.100.5.   What do we need to setup on the ASA so that the outside world can access our web server 192.168.100.5?  At the same time, we also want to protect the web server from hackers.  Attached is the config.

Please let me know if you need additional information.  Thanks.

Debra

3 Accepted Solutions

Accepted Solutions

Hi,

This is the public IP of your web server:  66.27.45.84

This is what you're missing:

access-list 101 permit tcp any host 66.27.45.84 eq www

Federico.

View solution in original post

Jennifer Halim
Cisco Employee
Cisco Employee

Need to configure access-list to allow the HTTP inbound connection to the web server public ip address.

Currently ACL 101 is applied to the outside interface, so here is what you need to add:

access-list 101 permit tcp any host 66.27.45.84 eq 80

Hope that helps

View solution in original post

Seems like what you are trying to do is as follows:

User browses to web server --> web server retrieves data from sql server --> web server display result for user

If the above is what you are trying to achieve, then you only need to allow TCP/80 connection to web server.

While web server retrieves data from sql server, they would communicate internally, so the sql server will post the data retrieval to the web server, and web server will display the result for user. There is no need for direct access from user towards the sql server.

View solution in original post

8 Replies 8

Hi,

This is the public IP of your web server:  66.27.45.84

This is what you're missing:

access-list 101 permit tcp any host 66.27.45.84 eq www

Federico.

Jennifer Halim
Cisco Employee
Cisco Employee

Need to configure access-list to allow the HTTP inbound connection to the web server public ip address.

Currently ACL 101 is applied to the outside interface, so here is what you need to add:

access-list 101 permit tcp any host 66.27.45.84 eq 80

Hope that helps

Thanks both of you for your prompt response and information.  Sorry for the late reply.  I was looking for this post.

May I ask you another question?  This web server is also connected to the SQL server (NATTED public IP address 66.27.45.81).  What do I need to do so that the outside users can also access this SQL server via the web server?  Please let me know if you need additional info. Thanks.

Can you please elaborate on what do you mean by "the outside users can also access this SQL server via the web server"?

Do you mean, you would like the outside users to directly access the SQL server on TCP/80 (www), ie: the SQL server is also listening on port 80?

Halijenn,

Thanks for your question.  That is correct.  I want the SQL server to listen to port 80.  For example, when I click on one of the links on Cisco.com, Cisco web site would connect to the my SQL database in the background.  Then, I see the list of data displayed on my screen.  The web server and the SQL server are on two servers.  I am running Microsoft SQL 2005.  Besides having the SQL database available for outside users, I also want to protect this server from hackers.

Please let me know if my explanation is still not clear.  Thanks.

Debra

Seems like what you are trying to do is as follows:

User browses to web server --> web server retrieves data from sql server --> web server display result for user

If the above is what you are trying to achieve, then you only need to allow TCP/80 connection to web server.

While web server retrieves data from sql server, they would communicate internally, so the sql server will post the data retrieval to the web server, and web server will display the result for user. There is no need for direct access from user towards the sql server.

Halijenn,

Thanks for your prompt response.   That is exactly what my question was.  You explained it better than I could.  So, you don't need to put any ACL's on the SQL server in this case.

May I ask you another question?  If I have another web server, do I use a different ACL's statement?  For example, if my web server's IP address is 66.27.45.85.  My ACL statement would be:

access-list 102 permit tcp any host 66.27.45.85 eq 80

Thanks.

Debra

Spot on, you are absolutely correct.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: