×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505 Transparent Firewall with a Web server

Document

Tue, 03/31/2015 - 05:56
Sep 23rd, 2013
User Badges:
  • Silver, 250 points or more

Introduction

This document describes the topology an user wants to implement.

Problem

The simple illustration is  Internet ---------------->Transparent  Firewall-------------------------------->Web Server(With public IP  Address)

  • There should be no natting
  • The web server must have a public IP and be accessible from the internet.
  • Ports can be blocked or re-opened.

Solution

This is a minimal configuration for your need (is running on ASA 5520).

!

firewall transparent

!

interface GigabitEthernet0

description --- Connected to the Internet ---

nameif outside

bridge-group 1

security-level 0

!

!

interface GigabitEthernet3

description --- Connected to LAN ---

nameif inside

bridge-group 1

security-level 100

!


interface BVI1


description --- For Management only ---

ip address 10.1.10.1 255.255.255.0

!

!

object network WWW-SERVER-OBJ

description --- The WEB server ----

host 123.123.123.123

!

!

object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp

description --- Serices published on WEB server ----

port-object eq www

port-object eq https

port-object eq  80

port-object eq  443

port-object eq 1812

port-object eq  1813

port-object eq  1845

port-object eq  1846

port-object eq  3799

port-object eq  10100

port-object eq  10200

port-object eq  10300

port-object eq  20235

!

object-group service WWW-SERVER-SERVICES-UDP-OBJ udp

     description --- Serices UDP published on WEB server ----

     port-object eq 1812

     port-object eq 1813

     port-object eq 1845

     port-object eq 1846

     port-object eq 3799

     port-object eq 10100

     port-object eq 10200

     port-object eq 10300

     port-object eq 20235

!

!

!

access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

!

access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ

!

access-group OUTSIDE-IN-ACL in interface outside

 

To allow the public IP xxx.yyy.zzz.xyz connecting on inside server port TCP 3306 :

access-list OUTSIDE-IN-ACL extended permit tcp host xxx.yyy.zzz.xyz object WWW-SERVER-OBJ eq 3306

By default all ports are closed, will be opened only ports explicitly allowed:

If you want to write explicitly a rule to close port 25 from anywhere to anywhere (Target port TCP 25):

access-list OUTSIDE-IN-ACL line 1 deny tcp any any eq 25

Source Discussion

ASA 5505 Transparent Firewall with a Web server Question

Loading.

Actions

This Document