topic Re: Firewall Rules - ASA5508-X in Network Security

Firewall Rules - ASA5508-X

wynneitmgr — Mon, 02 Mar 2020 13:07:28 GMT

I am new to managing Cisco Firewalls, so any help would be appreciated. We have a Cisco ASA5508-X that I manage with Cisco ADSM 7.9. We have a few locally hosted web applications on our web server. I would like to make most of the applications private (viewable only on our network) and I need a couple of the web applications to be made public so you can view from outside the network. I need help setting up the following rules in Cisco ASDM.

Firewall Rules:

Public: http: port 81, https: 444 allow ports 81/444 to WAN
Private: http: port 80, https: 443, block ports 80/443 to WAN

Thank you.

Re: Firewall Rules - ASA5508-X

Francesco Molino — Tue, 03 Mar 2020 00:33:20 GMT

Hi

Are the web applications new or already existing?
When you say accessible from your internal network, do you have multiple zones or everything is sitting behind the same zone (users and servers).
Can you share your config in order to help you with the correct acl to put in place?

For allowing outside hosts (internet) to access your internal web apps, it's quite straightforward. If you share your config and tell us on which zone are your web apps sitting, i can help you with the correct cli commands to setup to achieve it.

Re: Firewall Rules - ASA5508-X

wynneitmgr — Thu, 05 Mar 2020 13:03:52 GMT

Not sure if this will help, but here is what I am trying to do:

Source Destination SOURCE PORT DEST PORT ALLOW/DENY

WAN myserver.domain.com http80 Deny

WAN myserver.domain.com https443 Deny

WAN myserver.domain.com https444 https443 Permit

Re: Firewall Rules - ASA5508-X

Marvin Rhoads — Thu, 05 Mar 2020 14:25:11 GMT

We would not normally expect to know the source port of a tcp connection. Do you mean the original destination ports could be 80 or 443 (block) or 444 (allow and translate to 443 on the server itself)? If so a NAT rule and ACL entry in an access-list applied to the outside interface would suffice.

Re: Firewall Rules - ASA5508-X

wynneitmgr — Thu, 05 Mar 2020 14:33:18 GMT

Yes, that is what I need to do. However, I have played around with NAT rules and Access Rules but just not sure if I am doing them correctly. Thanks for any assistance.

Re: Firewall Rules - ASA5508-X

Cristian Matei — Thu, 05 Mar 2020 15:09:56 GMT

Hi,

Use these documents for guidance:

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html?referring_site=RE&pos=1&page=https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

Regards,

Cristian Matei.

Re: Firewall Rules - ASA5508-X

Francesco Molino — Thu, 05 Mar 2020 19:53:38 GMT

By default, if you don't open ports on your outside acl, these ports won't be accessible. So you'll need to open for allowed nat.
Is the public IP the one sitting on ASA interface or a dedicated IP? After that, we can give you a config sample on how to do nat.
However, without your config, you'll need to place it at the right place to not be overlapped by another nat.