Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
5
Helpful
5
Replies

ASA 5505 without Security Plus license, setting up DMZ and/or server access

emillerpdx
Level 1
Level 1

‎07-01-2009 09:24 AM - edited ‎03-11-2019 08:49 AM

Hi all --

A brief rundown of what I'm trying to do: An ASA 5505 without the security license sits in front of our office network. We have a block of five IPs from our ISP.

We need to allow relatively liberal access from outside to one server via three of the IP addresses.

We also need to eventually provide restricted access to one server on the inside network.

For now, since we don't have the security plus license, I've put the 3 IP server on the inside network and have tried to allow traffic to that box (see attached rule) but haven't been successful.

If anyone sees obvious issues with how I'm trying to set this up, or has suggestions on a more appropriate approach, your help would be appreciated.

I'm not a networking/router guy so I'm hoping that someone can point me in the right direction here. Thanks!

Labels:
Preview file
33 KB
0 Helpful
5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

‎07-01-2009 11:16 AM

I don't use the GUI, but I can tell you the CLI configuration. You can paste these in via ASDM though.

static (inside,outside) tcp public_ip 80 private_ip 80 netmask 255.255.255.255

Then you will need to allow the port in your ACL that is applied to your outside interface.

access-list outside_access ext permit tcp any host public_ip eq 80

These statements allow HTTP traffic, so you'll need to change them to fit your application.

Hope that helps.

0 Helpful

emillerpdx
Level 1
Level 1
In response to Collin Clark

‎07-02-2009 08:06 AM

Thanks for the tips! I'll give it a shot.

Just to make sure I understand this, it looks like they'd allow port 80 traffic on any inbound IP to pass through to a machine on the inside VLAN. If I want to restrict it to certain IPs bound to certain internal machines, I'd need to do additional rules...

Eric

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to emillerpdx

‎07-02-2009 08:08 AM

You can alter the ACL. Let's say you only want the address of 75.50.95.72 to access the webserver. The ACL would look like this-

access-list outside_access ext permit tcp host 75.50.95.72 host public_ip eq 80

0 Helpful

emillerpdx
Level 1
Level 1
In response to Collin Clark

‎07-02-2009 08:14 AM

If I'm understanding that ACL rule, it means "allow requests to 75.50.95.72:80 from outside".

Or I could read it could mean "allow requests from 75.50.95.72 to pass through on port 80 to whatever machine on the inside VLAN it wants."

Thanks for the clarification, I'm still wrapping my head around ACLs...

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to emillerpdx

‎07-02-2009 08:21 AM

Think of it this way. Th static creates the road for travel. In this case we build a road from the public IP to the private IP on interstate (port) 80. Now we add the ACL which is the cops on the road. In the previous example, the cops only allow 75.50.95.72 to get on the road to travel to the inside IP.

The static does not allow access to all servers on the inside, just the one in the static command. The ACL reading always has source IP first, then destination IP, followed by the port.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card