Hello, I'm fairly new to the ASA's and have setup P2P vpn's and client VPN's on our 5520. I'm now needing to move existing web servers from another box over to the ASA.
I'm thinking I'll just need to make a static NAT rule from inside to outside and add the access rules for each outside address on the outside interface incoming. Does this sound right or am i missing something? Also concerned that adding acl's to the outside interface incoming may affect existing VPN's although the checkbox that states "Enable inbound IPSec sessions to bypass interface access lists." is checked. Any suggestions/tips is appreciated.
Great, thanks for the quick reply...i'm assuming if the sites are https:// that i would just need to add another line with "eq443" to allow this and if they were Citrix servers to just allow those ports as well with the same sort of NAT lines.
The config that you did & were suggested by other guys are correct. It will work fine. Only you should take care of security part as users will be coming from untrusted zone to your inside segment. You need to specify only the required ports say 80, 8080, 443, 25, 53 (both tcp & udp) etc based upon your requirement. If your inside server is a web server as well as ftp server, then you also can configure that users coming from outside will see different ip for Web server & different for ftp server. but both the resources will be on the same server only.
Say i want to come to access your webs erver from outside, i will access 18.104.22.168X to access web server application & for ftp:22.214.171.124Y. in this way you can strengtheen ur security as well. carefull to open any port. stop trojans, worms etc if you have AIP-SSM or CSC-SSM in that ASA 5520.
Good point! Most of the outside facing servers are webservers and citrix servers, so there is definately a limited port list for each of them. I had not thought of the multiple ip's for each service though. That's something i'm going to look into doing on the few multiple-use servers that sit on the outside. Thanks again for all the quick help.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :