Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

www server behind ASA 5505

Hello Community,

I have a ASA 5505 with default setup, 2 VLANs. On the inside I have a DNS, IIS, SQL server. I am desperate for some help to get the www server accessible from the public. I am not using a DMZ. Got tips for me? Many thanks in advance. - Jurgen

25 REPLIES
Green

Re: www server behind ASA 5505

Without any other details, this is one way to do it, if webserver is 192.168.1.10...

static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

New Member

Re: www server behind ASA 5505

Hi, thanks for your help.

Outside I have a static IP. Inside www server is at 192.168.1.35 (your guess was close).

I set DHCP server starting at 192.168.1.100

To make it work I would changes settings in NAT?

Green

Re: www server behind ASA 5505

In that case if your static ip is 1.1.1.1 and server is 192.168.1.35 then...

static (inside,outside) tcp 1.1.1.1 80 192.168.1.35 80 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 80

access-group outside_access_in in interface outside

or

static (inside,outside) 1.1.1.1 192.168.1.35 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 80

access-group outside_access_in in interface outside

Is that what you were asking?

New Member

Re: www server behind ASA 5505

one more, first I wasn't able to get online behind the firewall. I had to go into 'Routing' and add a new entry in 'static routing'

Interface: outside

IP 0.0.0.0

Mask 0.0.0.0

Gateway IP - ISP Gateway IP

Metric 1

Green

Re: www server behind ASA 5505

Yes, that defines your defaut gateway.

route outside 0.0.0.0 0.0.0.0 isp.gateway.ip

Please rate helpful posts.

New Member

Re: www server behind ASA 5505

Is there a document somwhere that describes the steps a bit more in detail? Like what to do in NAT and Security Policy. The manual that came with the ASA describes setting up a DMZ, etc.

Green

Re: www server behind ASA 5505

New Member

Re: www server behind ASA 5505

New Member

Re: www server behind ASA 5505

I added a new access rule in "Security Policy" under Outside. source: any, destination 192.168.1.35, services: http, action: permit. Under NAT a new Outside. type: static, Source: ISP IP http, Destination: any, interface: inside, address: 192.168.1.35 http, DNS rewrite NO.

no luck so far. oje

Green

Re: www server behind ASA 5505

Destination would not be 192.168.1.35. It would be the public ip address you are using.

If you can post the config, I'll be able to show you what it should look like.

New Member

Re: www server behind ASA 5505

my pleasure!

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password PASSWORDXYZ encrypted

names

name 192.168.1.20 SERVER1 description DNS

name 192.168.1.35 SERVER2 description IIS

name 192.168.1.40 SERVER3 description SQL

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 70.x.x.246 255.255.255.224

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp SERVER2 www 70.164.46.224 www netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 70.164.46.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns SERVER1 192.168.1.22 interface inside

dhcpd domain alt74.local interface inside

dhcpd enable inside

!

dhcpd dns 68.x.x.30 68.10.16.30 interface outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Green

Re: www server behind ASA 5505

Ok, you're missing the access list. It should be...

access-list outside_access_in extended permit tcp any host 70.164.46.224 eq www

access-group outside_access_in in interface outside

New Member

Re: www server behind ASA 5505

ok, great. I am getting closer! :)

I can do that via ASDM in the Security Policy settings? or can I do via command line in some way?

New Member

Re: www server behind ASA 5505

sorry, but I have a hard time adding

the access list in Security Policy settings.

Can you give me a hint? Thanks!!

New Member

Re: www server behind ASA 5505

so I went into Security Settings added a new Access Rule. interface: outside, direction: incoming, type: any, destination IP 70.164.46.224, protocol TCP, source: any, destination port: http

still cant access my ISS server, ASDM syslog says TCP access denied by ACL from 192.168.1.107

Green

Re: www server behind ASA 5505

So you're trying http://70.164.46.224 from the inside?

Could you post the new config?

New Member

Re: www server behind ASA 5505

Thanks so much for your help!

I can't access from the outside (real outside) or inside

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

name 192.168.1.20 SERVER1 description DNS

name 192.168.1.35 SERVER2 description IIS

name 192.168.1.40 SERVER3 description SQL

name 192.168.1.10 AppleAirport description WiFi

name 192.1.168.30 SERVER2-2 description IIS Ethernet 100

!

interface Vlan1

description ALT74 LAN

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description COX

nameif outside

security-level 0

ip address 70.x.x.246 255.255.255.224

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any 70.x.x.224 255.255.255.224 eq www

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp SERVER2 www 70.164.46.224 www netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 70.164.46.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns SERVER1 192.168.1.22 interface inside

dhcpd domain alt74.local interface inside

dhcpd enable inside

!

dhcpd dns 68.100.16.30 68.10.16.30 interface outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Green

Re: www server behind ASA 5505

access-list outside_access_in extended permit tcp any 70.164.46.224 255.255.255.224 eq www

should be......

access-list outside_access_in extended permit tcp any 70.164.46.224 255.255.255.255 eq www

or

access-list outside_access_in extended permit tcp any host 70.164.46.224 eq www

New Member

Re: www server behind ASA 5505

just did that :)

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any host 70.164.46.224 eq www

uff! for some reason it doesn't work

Green

Re: www server behind ASA 5505

Oops, I missed this too...

static (outside,inside) tcp SERVER2 www 70.164.46.224 www netmask 255.255.255.255

should be......

static (inside,outside) tcp 70.164.46.224 www SERVER2 www netmask 255.255.255.255

New Member

Re: www server behind ASA 5505

i fixed that one

static (inside,outside) tcp 70.164.46.224 www SERVER2 www netmask 255.255.255.255

I only have one group 'inside' in NAT, one static, and one dynamic. static is the one described abvove. the dynamic one is any any outside

New Member

Re: www server behind ASA 5505

Hi pepople,

I have exactly the same problem, would be a release 7.2(2) problem?

I have did that many times on PIX release 6.3(5), but right now I do not know what to do, I have tryed many as diferent configuration as I know.

Is there somebody else who can help us please, I really need to make that configuration.

Thanks folks

Martin

New Member

Re: www server behind ASA 5505

I have ASA Version 7.2(2)

I got a brand new unit last week. Mmhh

New Member

Re: www server behind ASA 5505

I going to make an upgrade and I'm going to be in touch.

Martin

New Member

Re: www server behind ASA 5505

where can I get the upgrade?

thanks much!

310
Views
5
Helpful
25
Replies
CreatePlease to create content