Hello Jouni, always nice working with you.

We have this new ASA 5520 as a fail over if our current production ISP dies for some reason, we have this firewall on a different ISP subnet verses our production.

We have one Public IP address available for each server /24 block

I have twenty nine servers to setup in our 102 VLAN, able to only test one at a time in this LAB environment, ten to setup in the 104 VLAN, three in our 109 VLAN so you can see we end up with several DMZ;s if we used them, makes to much work for this DR fail over. would like to have them use NAT/ACL to control the access for all HTTP/HTTPS/FTPS if possible, not the best practice for doing this but it's only for DR.

I'm sending you the two sites template used for the setup, one from the 10.10.2.x network then other from 10.10.4.x network, both using the same Public class C

object network Edoc_Testweb2-HTTP

host 10.10.4.200 inside IP address

nat (VLAN104,outside) static 98.101.206.100 service tcp 80 80 outside address
!
object network Edoc_Testweb2-HTTPS

host 10.10.4.200 inside IP address

nat (VLAN104,outside) static 98.101.206.100 service tcp 443 443 outside address
!
access-list OutsideToVLAN104 permit tcp any host 10.10.4.200 eq 80

access-list OutsideToVLAN104 permit tcp any host 10.10.4.200 eq 443
!
access-group OutsideToVLAN104 in interface outside = ASDM only

Number2

object network CulsWeb-HTTP

host 10.10.2.120 inside IP address

nat (VLAN102,outside) static 98.101.206.105 service tcp 80 80 outside address
!
object network CulsWeb-HTTPS

host 10.10.2.120 inside IP address

nat (VLAN102,outside) static 98.101.206.105 service tcp 443 443 outside address
!
access-list OutsideToVLAN102 permit tcp any host 10.10.2.120 eq 80

access-list OutsideToVLAN102 permit tcp any host 10.10.2.120 eq 443
!
access-group OutsideToVLAN102 in interface outside

Hi,

It seems that your actual connectivity problem when adding new configurations is caused by changing the ACL attached to the "outside" interface.

Notice that you are creating 2 different ACLs but trying to attach them to the same interface "outside". The interface can only hold a single ACL for one direction so you would have to use the same ACL for controlling all traffic that is coming "in" from behind the "outside" interface. This is the reason why the first server stops working after adding configurations for another.

Though you still have problems related to the setup. You say you have tens of servers to setup yet you seem to have way fever public IP addresses correct? If this is true then you will quickly run out of public IP addresses that you can use for your servers. This is because of the earlier mentioned limitation of being able to forward a specific port for specific public IP address only to one internal host.

So in the end you would either have to use different public facing ports for some internal servers (like mapping public TCP port 81 to 80 , 82 to 80 for another server and so on) OR you would have to get more public IP addresses from the ISP to have one for each server. I guess one option would also be running the sites/services on single/fewer server(s) but I guess that is not possible.

- Jouni

Jouni,

Can you give me an example for what I'm doing wrong by using the outside interface for all ACL attached to the outside interface, and what to do to fix this issue so we can add all the servers.

We have plenty of public IP's 250 available for this project, we only need one for each server, need only thirty for the HTTP/HTTPS websites, only need nine or so for the FTPS sites.

All HTTP sites will use port 80, all HTTPS sites will use 443, all FTPS will use ports 990 - 1099, others will use port 22

Please explain what I'm doing wrong and step-by-step what I need to do for allowing this on the 5520 running 9.0(3) IOS

Hi,

You should configure a single ACL and configure all the rules to it. You will then attach that single ACL to the "outside" interface to control all traffic from the Internet.

I think you should probably use Static NAT rather than Static PAT (Port Forward) since you will have to use a public IP address per server anyway.

In that case the configuration format for each server would be

object network SERVER-1
 host <internal ip>
 nat (inside,outside) static <public ip>

object network SERVER-2
 host <internal ip>
 nat (inside,outside) static <public ip>

and so on.

You could then configure the ACL to allow traffic to these 2 servers in the below way.

access-list OUTSIDE-IN remark Rules for Web servers
access-list OUTSIDE-IN permit tcp any object SERVER-1 eq http
access-list OUTSIDE-IN permit tcp any object SERVER-1 eq https
access-list OUTSIDE-IN permit tcp any object SERVER-2 eq http
access-list OUTSIDE-IN permit tcp any object SERVER-2 eq https

Naturally you can add as many statements as you need. There is also other options that achieve the same. You can for example group the services and server IP addresses to their own groups so you can get a small ACL configuration.

The command you need to use to attach the ACL to the interface is

access-group OUTSIDE-IN in interface outside

Notice that when you have inserted this "access-group" command once and want to add more rules to allow/deny traffic then you simply add the "access-list" lines but you will NOT have use the "access-group" command again because you have already attached the "outside" interface with the above command.

Hope this clarifies things.

- Jouni

Jouni you are the best, let me put this into our lab network.

Thank you for always helping us figure out what we have done wrong and for 

showing the right way to make things work.

Thank you Sir

Hi,

No problem :)

Let me know how it goes after you have tested it in your lab.

- Jouni

Jouni,

I'm only on the first website but we see this working just like you said.

I left you a message to read at http://98.101.206.100

I can't thank you enough and would like to do something for you my friend.

Please name it - anything you need or want

Thanks again