Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Making webserver on 8080 available to the outside on 80

Hi there,

Sorry for "spamming" this forum but we're new to the ASA and really want to get the most out of it.

We're running three networks (inside, outside and dmz). Inside is 10.0.1.0/24, dmz is 10.0.2.0/24, outside is a static ip allocated by our ISP. We'd like to configure the following:

All traffic from the outside to [static provider ip] on port 80 should go to 10.0.2.200 port 8080.

What do we have to configure to do so?

14 REPLIES
Hall of Fame Super Silver

Making webserver on 8080 available to the outside on 80

I'd suggest using the wizards built into the ASA configuration GUI (ASDM). You will generally need 1. a NAT rule to translate your internal address to an external one and 2. an access-list rule to allow exteranlly initiated requests to come through the firewall.

New Member

Making webserver on 8080 available to the outside on 80

Marvin, could you possibly provide the command line commands for doing exactly this?

New Member

Making webserver on 8080 available to the outside on 80

Anybody? This is pretty urgent... we need to make the web server listening on port 8080 on the dmz network available to outside requests coming in on port 80 of the public IP address. Please, everything we tried failed so far.

Red

Making webserver on 8080 available to the outside on 80

Hi ralf,

Follow this:

object network provider_ip

host 1.1.1.1

object network private_ip

  host 10.0.2.200

object service tcp_80

  service tcp destination eq 80

object service tcp_8080

  service tcp destination eq 8080

nat (outside,inside) source static any any destination static provider_ip private_ip service tcp_80 tcp_8080

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Hall of Fame Super Silver

Making webserver on 8080 available to the outside on 80

Varun,

His server is on DMZ. So NAT rule would need to be:

nat (outside,dmz) source static any any destination static provider_ip private_ip service tcp_80 tcp_8080

Do you agree?

He would also need an access list for the incoming traffic, yes?

New Member

Making webserver on 8080 available to the outside on 80

New Member

Re: Making webserver on 8080 available to the outside on 80

Thanks a lot, again!

The web server is not on the inside network but on the dmz. Can I just replace every occurrence of inside with dmz in the above?

Sent from Cisco Technical Support iPhone App

New Member

Re: Making webserver on 8080 available to the outside on 80

Also, do we need any form of acl / firewall rule in addition the the above?

Sent from Cisco Technical Support iPhone App

Red

Making webserver on 8080 available to the outside on 80

Oooopss, sorry missed that...Thanks Marvin for the sharp eye , yes Ralf you would also need he access-list on outside interface, make sure you include the private ip of the server on that access-list and allow for port 8080.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: Making webserver on 8080 available to the outside on 80

Varun, would you mind giving me the exact command for the access list(s)? Really don't want to trial-and-error anymore...

Sent from Cisco Technical Support iPhone App

Red

Making webserver on 8080 available to the outside on 80

Now I am just assuming the name of the access-list on the outside interface, you can change it accordingly:

access-list outside_access_in permit tcp any host 10.0.2.200 eq 8080

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: Making webserver on 8080 available to the outside on 80

show access-list outputs the following. Is it safe to assume that I can just enter the above command exactly as it is?

gcxfw# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

Red

Making webserver on 8080 available to the outside on 80

Well if you dont have any access-list applied on the ASA then this is the complete syntax for it:

access-list outside_access_in permit tcp any host 10.0.2.200 eq 8080

access-group outside_access_in in interface outside

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Silver

Making webserver on 8080 available to the outside on 80

Thanks,

Thanks,

---

Posted by WebUser Bmr Bahrawy from Cisco Support Community App

447
Views
0
Helpful
14
Replies
CreatePlease login to create content