Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5505 Question

New to the ASA series. I am installing a 5505 later today. Company has two buildings connected via fiber. ASA will go behind the router and into a switch connecting the two.

Main goal is to protect an iSeries webserver on their internal network. Inside interface is configured with internal network of 172.20.x.x. Outside with static from ISP, 209.143.x.x.

Being new to this, I'm assuming I need an access rule to allow traffic from the WAN to the iSeries box. My current rule is set up like this.

outside, incoming, permit, any (0.0.0.0) to 172.20.x.x (IP of iSeries). Protocol is TCP, service on source = any, service on destination = http/www.

My question is, is this correct? Any help would be appreciated.

2 REPLIES
Silver

Re: ASA5505 Question

For permiting traffic from outside to inside you need two things one is your access-list statement and your nat statement.

Ideally i guess you should be looking at port forwarding.

So your statements could be.

access-list outside_inside extended permit tcp any host 209.143.x.x eq www

and you nat statement would be

nat(inside,outside) tcp interface www 172.20.x.x www netmask 255.255.255.255

Assuming your interface ip is 209.143.x.x.

HTH

Hoogen

Do rate if you find this post useful :)

Green

Re: ASA5505 Question

Depending upon what the outside address of the server is you will have something like this...

static (inside,outside) 209.143.x.x 172.20.x.x netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 209.143.x.x eq www

access-group outside_access_in in interface outside

or if the outside address of the server is the same as the outside interface of the ASA you can do...

static (inside,outside) interface 172.20.x.x netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 209.143.x.x eq www

access-group outside_access_in in interface outside

or if you just want to port forward port 80...

static (inside,outside) tcp interface www 172.20.x.x www netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 209.143.x.x eq www

access-group outside_access_in in interface outside

457
Views
0
Helpful
2
Replies