Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Web Server at Internet

Hi Jcarvaja all :

I have a doubt to confirm on below situation :

There is web server at the internet. The firewall ASA5505 is located at the inside edge of the edge router and the internet is at the outside edge router of the edge router. The router has already been configured can route the outside network of firewall to internet.

The information of the IP address is as below :

Inside edge of the edge router : 192.168.20.2/24

Outside Network of Firewall ASA5505 : 192.168.20.0/24 with security level of 20

Outside Interface of the Firewall ASA5505 : 192.168.20.1/24

DMZ Network of the Firewall ASA5505 : 192.168.50.0/24 with secutity level of 50

Host at the DMZ : 192.168.50.10/24 with defination with the name of DMZ_Host

Static Mapped address of the Host at the DMZ to Outside Network: 192.168.20.10/24

1. I have a host at the DMZ zone of firewall and if it wants to access this web server by http, the following command lines to be added to ASA5505 good enough and anything wrong with them?

access-list Outside_DMZ extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0 --> allow outside to access dmz

access-list Outside_DMZ exteneded permit tcp host Web_server host DMZ_Host eq 80 --> allow web server to access dmz host

static (dmz,outside) 192.168.20.10 192.168.50.10 netmask 255.255.255.255 --> static mapped the dmz host to outside mapped address

route outside 0.0.0.0 0.0.0.0 192.168.20.2  --> static route of dmz network to internet

access-group Outside_DMZ in interface Outside --> applied the access list to firewall outside interface

2.I have a doubt here that do I need to add any command line related to the Static Mapped address of 192.168.20.10/24 like below?

access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80

whereby the 192.168.20.10 is the static mapped address of the Host at the DMZ to Outside Nertwork. Or, any other command related with the Static Mapped address have to be added?

thanks and regards,

tangsuan

1 ACCEPTED SOLUTION

Accepted Solutions

Access Web Server at Internet

Hello Tang,

Not at all, as the ASA knows by his nat table that the ip address 192.168.20.10 is 192.168.50.10...

So as soon as the ASA receives a packet on the outside going to 20.10 it will know that it is intended to go to 50.10.

On this version you are running Nat is seeing after the ACL so you need to create the ACL pointing the public Ip address.

Rate helpful posts!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5 REPLIES

Access Web Server at Internet

Hello Tangsuan,

If you want to allow access from the outside server to the DMZ host on port 80 tcp( 192.168.50.10 nated on the outside to 192.168.20.10) you only need the following:

static (dmz,outside) 192.168.20.10 192.168.50.10

access-list Outside_DMZ exteneded permit tcp host Web_server host DMZ_Host eq 80

access-group Outside_DMZ in interface Outside


If you add the following:
access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80

It could be a security thread as you will be allowing connection to the server on the DMZ from any on the outside unless this is what you are looking for ( access the server from anywhere on the outside)

Regards,

Julio

Rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Access Web Server at Internet

Hi Jcarvaja :

Thanks for your reply!

OK, I got the explanation of the thread, thanks!

I have doubt as below :

If below command :

access-list Outside_DMZ extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0

is not added in, can the Web_server still able to access to the DMZ_Host? This is because in my understanding that the Web_server with public IP address will only route to the outside network of the firewall by the edge router.

Is it a need to add the above command so that firewall can allow the routed IP of this Web_server to access to the DMZ-Host?

thanks and regards,

tangsuan

Access Web Server at Internet

Hello Tang,

Not at all, as the ASA knows by his nat table that the ip address 192.168.20.10 is 192.168.50.10...

So as soon as the ASA receives a packet on the outside going to 20.10 it will know that it is intended to go to 50.10.

On this version you are running Nat is seeing after the ACL so you need to create the ACL pointing the public Ip address.

Rate helpful posts!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Access Web Server at Internet

Hi Jcarvaja :

Thanks for your answer.

You help a lot on all my questions.

This case will be closed as you already provided the correct answer.

regards,

tangsuan

Access Web Server at Internet

Hello Tang,

Not a problem! Just let me know if you have any other questions.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
301
Views
0
Helpful
5
Replies
CreatePlease login to create content