topic Re: What is best practice for the http server on ASAs in Network Security

What is best practice for the http server on ASAs

Fartingdragon — Tue, 04 Apr 2023 19:22:25 GMT

Right now it's set for this. Is there a better way?

http DMZ 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside

Re: What is best practice for the http server on ASAs

MHM Cisco World — Tue, 04 Apr 2023 21:21:09 GMT

Cisco Guide to Harden Cisco ASA Firewall - Cisco

this guide can help you

Re: What is best practice for the http server on ASAs

Marvin Rhoads — Wed, 05 Apr 2023 03:08:54 GMT

The command controls where you want to allow management traffic to originate from. If you need it from any inside subnet then the second line does that. The first line in your config would not normally be a best practice as a DMZ should have restrictive security policies to limit exposure of and access to/from servers in that network.

Re: What is best practice for the http server on ASAs

Fartingdragon — Wed, 05 Apr 2023 13:28:05 GMT

To remove it. Is it just

No http dmz 255.255.255.0?

Re: What is best practice for the http server on ASAs

MHM Cisco World — Wed, 05 Apr 2023 13:39:53 GMT

http DMZ 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside

You use dmz as source ip to access mgmt interface not using dmz interface.

I always prefer two http line

In such a case that interface is down or unreachable for any reason I have other one I can use.

Config any asa interface for http except outside interface.

That my opinion.