ā06-28-2012 11:46 PM - edited ā03-11-2019 04:24 PM
Hi Experts
I Have web server (linux) sits in the DMZ (asa 5520) segment and this server should be accessible form the internet,
1)how to make this server https based access over SSL
2)how to protect this server form network and security standpoint?
thanks
jamil
ā06-29-2012 12:15 AM
The ASA doesn't care if it's HTTPS or anything else. You just allow tcp/443 on the outside ACL and add a static NAT for the server. Thats it. The Server is now protected that no other traffic is allowed to that server.
The ASA will not protect you from any harm thats coming through the HTTPS-connection. If you want your ASA to protect you from that, then you have to decrypt the traffic in front on the ASA i.e. with an SSL-Offloader. Or, the HTTPS is terminated in a seperate DMZ at a reverse-proxy, and that proxy sends HTTP to your real server in the original DMZ. Now the ASA can inspect the HTTP from the proxy to your webserver.
Another important control is that the ACL on the ASA only permits traffic that's really needed. For example only DNS and FTP/HTTP to the update-server.
For even more security, you could add the AIP-SSM for IPS. In the scenario with the reverse-proxy or the SSL-Offload the IPS can search the HTTP-Traffic for known attacks against your server.
ā06-29-2012 12:34 AM
Hi karsten
thanks for ur reply
pls do u have a link which is similar to my case to start
thanks
ā06-29-2012 01:12 AM
Thats the way to find this sort of documentation:
www.cisco.com/go/asa -> select "Configure" (on the right side under "Support"), then choose "Configuration Guides". Depending on your ASA-version and your ASDM/CLI-preference you find the complete documetation. In te guides go for access-control and NAT.
ā06-29-2012 01:17 AM
i meant pdf similar to my case ,
ā06-30-2012 08:18 AM
your case is nearly exactly described in the config guide. Both for NAT and ACLs. Just give it a try ...
ā07-02-2012 11:27 PM
Hi
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b9b509.shtml
Here is the link for your reference.They are allowing port 25 from outside.And you want 443 this is the difference.
Hope this helps you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: