Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Putting Servers behind ASA5505

Hi there,

I am in the process of adding a lot of servers to sit behind our new ASA 5505 (8.4) firewall. At the moment I have added 2 servers and they are both NAT'ed to 2 different public IPs.

Server 1     192.168.10.1 -> 80.*.*.1

Server 2     192.168.10.111 -> 80.*.*.6

The first server can only be RDP'ed in to using its public IP which is what I want it to do. The second one has most of the service ports open like 443, 80, 110, 25 and etc. However when I try and browse externally to https://remote.domain.com/exchange I get an "

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error." in Google Chrome or any other browser. and the ASA reports:



11:27:30
192.168.10.111262680.*.*.6443Inbound TCP connection denied from 192.168.10.111/2626 to 80.*.*.6/443 flags SYN  on interface inside

and I also get a Land to Land attack detected from 80.*.*.6 to 80.*.*.6

Any ideas?

Is it worth setting up a DMZ or can I get away with the setup I have?

Everyone's tags (3)
2 REPLIES
Community Member

Putting Servers behind ASA5505

Hello Dmitry,

lets start with your second question, regarding the DMZ setup.

it is generall a good idea to move exposed servers, like webmail (in your case exchange), into a DMZ.

now to your first question.

there some changes between 8.3 and 8.4 regarding opening ports.

u might have to create the network-objects.

the right rules might be looking simmilar to this:

object networkWEBSERVER

     host 192.168.....

access-list WAN1_access_in extended permit tcp any any eq https log .....

object network WEBMAIL

nat (DMZ,WAN1) static PUBLIC_IP service tcp https https

hope this helps you a litte bit.

there are some aditional information on the website.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp110236

regards

andre

Community Member

Putting Servers behind ASA5505

Well to be honest, all the devices behind the firewall are servers and not a single pc.

I have already done what you have suggested and I can RDP in to the server and browse the web from it but cannot access https pages on the server.

756
Views
0
Helpful
2
Replies
CreatePlease to create content