Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1534
Views
5
Helpful
0
Comments

ASA 5505 Transparent Firewall with a Web server

Anim Saxena
Level 1
Level 1

‎09-23-2013 10:53 PM - edited ‎08-29-2017 03:54 AM

 

Introduction

This document describes the topology an user wants to implement.

Problem

The simple illustration is  Internet ---------------->Transparent  Firewall-------------------------------->Web Server(With public IP  Address)

  • There should be no natting
  • The web server must have a public IP and be accessible from the internet.
  • Ports can be blocked or re-opened.

Solution

This is a minimal configuration for your need (is running on ASA 5520).

!

firewall transparent

!

interface GigabitEthernet0

description --- Connected to the Internet ---

nameif outside

bridge-group 1

security-level 0

!

!

interface GigabitEthernet3

description --- Connected to LAN ---

nameif inside

bridge-group 1

security-level 100

!


interface BVI1


description --- For Management only ---

ip address 10.1.10.1 255.255.255.0

!

!

object network WWW-SERVER-OBJ

description --- The WEB server ----

host 123.123.123.123

!

!

object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp

description --- Serices published on WEB server ----

port-object eq www

port-object eq https

port-object eq  80

port-object eq  443

port-object eq 1812

port-object eq  1813

port-object eq  1845

port-object eq  1846

port-object eq  3799

port-object eq  10100

port-object eq  10200

port-object eq  10300

port-object eq  20235

!

object-group service WWW-SERVER-SERVICES-UDP-OBJ udp

     description --- Serices UDP published on WEB server ----

     port-object eq 1812

     port-object eq 1813

     port-object eq 1845

     port-object eq 1846

     port-object eq 3799

     port-object eq 10100

     port-object eq 10200

     port-object eq 10300

     port-object eq 20235

!

!

!

access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

!

access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ

!

access-group OUTSIDE-IN-ACL in interface outside

 

To allow the public IP xxx.yyy.zzz.xyz connecting on inside server port TCP 3306 :

access-list OUTSIDE-IN-ACL extended permit tcp host xxx.yyy.zzz.xyz object WWW-SERVER-OBJ eq 3306

By default all ports are closed, will be opened only ports explicitly allowed:

If you want to write explicitly a rule to close port 25 from anywhere to anywhere (Target port TCP 25):

access-list OUTSIDE-IN-ACL line 1 deny tcp any any eq 25

Source Discussion

ASA 5505 Transparent Firewall with a Web server Question

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents