cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
932
Views
8
Helpful
6
Replies

web server (linux) sits in the DMZ (asa 5520)

Ibrahim Jamil
Level 6
Level 6

Hi Experts

I Have web server (linux) sits in the DMZ (asa 5520) segment and this server should be accessible form the internet,

1)how to make this server  https based access over SSL

2)how to protect this server form network and security standpoint?

thanks

jamil

6 Replies 6

The ASA doesn't care if it's HTTPS or anything else. You just allow tcp/443 on the outside ACL and add a static NAT for the server. Thats it. The Server is now protected that no other traffic is allowed to that server.

The ASA will not protect you from any harm thats coming through the HTTPS-connection. If you want your ASA to protect you from that, then you have to decrypt the traffic in front on the ASA i.e. with an SSL-Offloader. Or, the HTTPS is terminated in a seperate DMZ at a reverse-proxy, and that proxy sends HTTP to your real server in the original DMZ. Now the ASA can inspect the HTTP from the proxy to your webserver.

Another important control is that the ACL on the ASA only permits traffic that's really needed. For example only DNS and FTP/HTTP to the update-server.

For even more security, you could add the AIP-SSM for IPS. In the scenario with the reverse-proxy or the SSL-Offload the IPS can search the HTTP-Traffic for known attacks against your server.

Hi karsten

thanks for ur reply

pls do u have a link which is similar to my case to start

thanks

Thats the way to find this sort of documentation:

www.cisco.com/go/asa -> select "Configure" (on the right side under "Support"), then choose "Configuration Guides". Depending on your ASA-version and your ASDM/CLI-preference you find the complete documetation. In te guides go for access-control and NAT.

i meant pdf similar to my case ,

your case is nearly exactly described in the config guide. Both for NAT and ACLs. Just give it a try ...

Hi

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b9b509.shtml

Here is the link for your reference.They are allowing port 25 from outside.And you want 443 this is the difference.

Hope this helps you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: