web server (linux) sits in the DMZ (asa 5520)

Unanswered Question
Jun 28th, 2012
User Badges:

Hi Experts


I Have web server (linux) sits in the DMZ (asa 5520) segment and this server should be accessible form the internet,


1)how to make this server  https based access over SSL


2)how to protect this server form network and security standpoint?




thanks


jamil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Karsten Iwen Fri, 06/29/2012 - 00:15
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

The ASA doesn't care if it's HTTPS or anything else. You just allow tcp/443 on the outside ACL and add a static NAT for the server. Thats it. The Server is now protected that no other traffic is allowed to that server.


The ASA will not protect you from any harm thats coming through the HTTPS-connection. If you want your ASA to protect you from that, then you have to decrypt the traffic in front on the ASA i.e. with an SSL-Offloader. Or, the HTTPS is terminated in a seperate DMZ at a reverse-proxy, and that proxy sends HTTP to your real server in the original DMZ. Now the ASA can inspect the HTTP from the proxy to your webserver.


Another important control is that the ACL on the ASA only permits traffic that's really needed. For example only DNS and FTP/HTTP to the update-server.


For even more security, you could add the AIP-SSM for IPS. In the scenario with the reverse-proxy or the SSL-Offload the IPS can search the HTTP-Traffic for known attacks against your server.

Ibrahim Jamil Fri, 06/29/2012 - 00:34
User Badges:

Hi karsten


thanks for ur reply


pls do u have a link which is similar to my case to start



thanks

Karsten Iwen Fri, 06/29/2012 - 01:12
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

Thats the way to find this sort of documentation:


www.cisco.com/go/asa -> select "Configure" (on the right side under "Support"), then choose "Configuration Guides". Depending on your ASA-version and your ASDM/CLI-preference you find the complete documetation. In te guides go for access-control and NAT.

Karsten Iwen Sat, 06/30/2012 - 08:18
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

your case is nearly exactly described in the config guide. Both for NAT and ACLs. Just give it a try ...

Actions

This Discussion