Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Accessing webserver behind an ASA 5505 (newbie)

Hi,

I have not been able to figure out how to setup PAT/ACLs or anything else to get an outside web browser to hit my webserver.

Setup:

cable modem -> ASA 5505 -> PC

-> webserver

I'd like everyone on the outside to be able to hit the webserver. I've tried all kinds of different security policies with no luck.

I must not understand the policies and NAT/PAT stuff very well.

Coming from an old Linksys router you told it what port to watch for and then forward it to a host on the inside. The ASA seems MUCH more complicated than that...

Public IP: 1.1.1.1

Inside IP: 192.168.1.1

Look for the general rules that set this access up. I'll try to use the CLI if you can show the actual commands, otherwise I'm fumbling around in the GUI.

Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Accessing webserver behind an ASA 5505 (newbie)

It's more complicated for good reason.

In it's simplest form, these commands will do the trick.

static (inside,outside) interface netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

This is if you are using the outside interface ip of your ASA to access the webserver.

You can also do this which would allow you to use the outside interface ip for other services to other servers...

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

4 REPLIES
Green

Re: Accessing webserver behind an ASA 5505 (newbie)

It's more complicated for good reason.

In it's simplest form, these commands will do the trick.

static (inside,outside) interface netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

This is if you are using the outside interface ip of your ASA to access the webserver.

You can also do this which would allow you to use the outside interface ip for other services to other servers...

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

New Member

Re: Accessing webserver behind an ASA 5505 (newbie)

Thank you!

I see where I went wrong... I was setting the source port to 80.

Hall of Fame Super Blue

Re: Accessing webserver behind an ASA 5505 (newbie)

Hi

What is the private IP address of the web server and what is the public IP address you want to present it as eg.

if private IP = 192.168.5.1

public IP = 217.22.1.10

then config would be

static (inside,outside) 217.22.1.10 192.168.5.1 netmask 255.255.255.255

access-list acl_inbound permit tcp any host 217.22.1.10 eq 80

access-group acl_inbound in interface outside

HTH

Jon

New Member

Re: Accessing webserver behind an ASA 5505 (newbie)

Here are the commands:

static (inside,outside) 1.1.1.1 192.168.1.1

access-list aclout permit tcp any host 1.1.1.1 eq 80

access-group aclout in interface outside

In case 1.1.1.1 is the IP address of the outside interface of ASA, then here are the commands:

static (inside,outside) tcp interface 80 192.168.1.1 80

access-list aclout permit tcp any interface outside eq 80

access-group aclout in interface outside

1300
Views
5
Helpful
4
Replies
CreatePlease to create content