07-01-2009 09:24 AM - edited 03-11-2019 08:49 AM
Hi all --
A brief rundown of what I'm trying to do: An ASA 5505 without the security license sits in front of our office network. We have a block of five IPs from our ISP.
We need to allow relatively liberal access from outside to one server via three of the IP addresses.
We also need to eventually provide restricted access to one server on the inside network.
For now, since we don't have the security plus license, I've put the 3 IP server on the inside network and have tried to allow traffic to that box (see attached rule) but haven't been successful.
If anyone sees obvious issues with how I'm trying to set this up, or has suggestions on a more appropriate approach, your help would be appreciated.
I'm not a networking/router guy so I'm hoping that someone can point me in the right direction here. Thanks!
07-01-2009 11:16 AM
I don't use the GUI, but I can tell you the CLI configuration. You can paste these in via ASDM though.
static (inside,outside) tcp public_ip 80 private_ip 80 netmask 255.255.255.255
Then you will need to allow the port in your ACL that is applied to your outside interface.
access-list outside_access ext permit tcp any host public_ip eq 80
These statements allow HTTP traffic, so you'll need to change them to fit your application.
Hope that helps.
07-02-2009 08:06 AM
Thanks for the tips! I'll give it a shot.
Just to make sure I understand this, it looks like they'd allow port 80 traffic on any inbound IP to pass through to a machine on the inside VLAN. If I want to restrict it to certain IPs bound to certain internal machines, I'd need to do additional rules...
Eric
07-02-2009 08:08 AM
You can alter the ACL. Let's say you only want the address of 75.50.95.72 to access the webserver. The ACL would look like this-
access-list outside_access ext permit tcp host 75.50.95.72 host public_ip eq 80
07-02-2009 08:14 AM
If I'm understanding that ACL rule, it means "allow requests to 75.50.95.72:80 from outside".
Or I could read it could mean "allow requests from 75.50.95.72 to pass through on port 80 to whatever machine on the inside VLAN it wants."
Thanks for the clarification, I'm still wrapping my head around ACLs...
07-02-2009 08:21 AM
Think of it this way. Th static creates the road for travel. In this case we build a road from the public IP to the private IP on interstate (port) 80. Now we add the ACL which is the cops on the road. In the previous example, the cops only allow 75.50.95.72 to get on the road to travel to the inside IP.
The static does not allow access to all servers on the inside, just the one in the static command. The ACL reading always has source IP first, then destination IP, followed by the port.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide