topic Jouni,I'm only on the first in Network Security

Websites -HTTP/HTTPS/FTPS, no DMZ

Stephen Sisson — Tue, 12 Mar 2019 04:31:29 GMT

Hello everyone,

I'm having some trouble and need your assistance.

We have thirty five HTTP/HTTPS/FTPS web sites to setup in the ASA 5520 ASDM firewall, we need to know if its possible to have them all setup

without using a DMZ, we have two or three sub-nets with HTTP/HTTPS/FTPS servers. We get the first website setup on the ASA ASDM GUI working great, when we begin to add multiple sites is when all stop working, even the original first site stops working.

I have all networks talking to each other as inside to inside or all using the same security-level 100 a requirement we have all internal networks allow traffic between networks. We would like to allow outside users/customers to have access

to our HTTP/HTTPS/FTPS websites without having to setup two or more DM Z's.

What I'm using to setup each website as a template

object network SMS-WebServer-HTTP

host 10.10.2.10 inside IP address

nat (VLAN102,outside) static 98.101.206.252 service tcp 80 80 outside address
!
object network SMS-WebServer-HTTPS

host 10.10.2.10 inside IP address

nat (VLAN102,outside) static 98.101.206.252 service tcp 443 443 outside address
!
access-list OutsideToVLAN102 permit tcp any host 10.10.2.10 eq 80

access-list OutsideToVLAN102 permit tcp any host 10.10.2.10 eq 443

I'm not sure what's required to get all HTTP/HTTPS/FTPS sites working through the firewall without using the DMZ and using the ASDM for setup.

Thank you all

Hi, Will need some

Jouni Forss — Wed, 23 Jul 2014 12:35:32 GMT

Hi,

Will need some clarification on what you are actually wanting/attempting to do and what the current situation with regards to the network is.

First thing that I want to ask is what do you mean setting up the servers without a DMZ? Do you mean that you want to use your existing internal networks address space when configuring the servers and then simply configure NAT for the servers on the firewall INSTEAD OF configuring a separate Subnet/Vlan on the firewall where all the servers would be hosted?

I guess technically there is nothing stopping you from setting up the servers in whatever subnet/Vlan you have already on your network. Usually though servers that are used to host resources to external users through the public network are positioned on a DMZ network which permits little to no connectivity from the servers towards the LAN networks.

I would also be interested in exactly what commands are entered to the ASA when the connectivity to the servers stops working. I would imagine that there is some error in the configurations if they effect already working setups. You might also be overwriting the working configuration depending what you are actually inserting to the ASA. You should be able to get the CLI format configurations even if you were using only ASDM if you go to Tools -> Preferences -> choose the preview of commands

I would also like to ask you what your situation with regards to available public IP addresses is? Are you able to dedicate each server a public IP address (though there seems to be many)? Especially in the cases of web servers you might run into a problem if you dont have a public IP address for each server since you can not forward the same port for the same public IP address to multiple internal hosts. So when you have used the HTTP and HTTPS ports for the public IP address you mention then you will already require another public IP address to forward the same ports to another server. Or you will have to use different public facing ports which is not very convinient for the actual web users if he/she has to use a port number in the URL.

I guess there are ways to host multiple sites on a single server which means you would not need so many public IP address and special NAT configurations on the firewall but that is a thing I am not equipped to give advice to anyone 🙂

So in short, we would need to know

How many public IP addresses do you have available to use for these servers or are you going to host multiple sites on fewer number of servers?
Are you going to have the server running on actual LAN subnets or would you be willing to atleast create a single DMZ to host the servers?
What are the commands that you have entered that prevents the existing configurations from working? Is there any IP overlap in the configurations and does the ASA give any error messages?

- Jouni

Hello Jouni, always nice

Stephen Sisson — Wed, 23 Jul 2014 13:01:15 GMT

Hello Jouni, always nice working with you.

We have this new ASA 5520 as a fail over if our current production ISP dies for some reason, we have this firewall on a different ISP subnet verses our production.

We have one Public IP address available for each server /24 block

I have twenty nine servers to setup in our 102 VLAN, able to only test one at a time in this LAB environment, ten to setup in the 104 VLAN, three in our 109 VLAN so you can see we end up with several DMZ;s if we used them, makes to much work for this DR fail over. would like to have them use NAT/ACL to control the access for all HTTP/HTTPS/FTPS if possible, not the best practice for doing this but it's only for DR.

I'm sending you the two sites template used for the setup, one from the 10.10.2.x network then other from 10.10.4.x network, both using the same Public class C

object network Edoc_Testweb2-HTTP

host 10.10.4.200 inside IP address

nat (VLAN104,outside) static 98.101.206.100 service tcp 80 80 outside address
!
object network Edoc_Testweb2-HTTPS

host 10.10.4.200 inside IP address

nat (VLAN104,outside) static 98.101.206.100 service tcp 443 443 outside address
!
access-list OutsideToVLAN104 permit tcp any host 10.10.4.200 eq 80

access-list OutsideToVLAN104 permit tcp any host 10.10.4.200 eq 443
!
access-group OutsideToVLAN104 in interface outside = ASDM only

Number2

object network CulsWeb-HTTP

host 10.10.2.120 inside IP address

nat (VLAN102,outside) static 98.101.206.105 service tcp 80 80 outside address
!
object network CulsWeb-HTTPS

host 10.10.2.120 inside IP address

nat (VLAN102,outside) static 98.101.206.105 service tcp 443 443 outside address
!
access-list OutsideToVLAN102 permit tcp any host 10.10.2.120 eq 80

access-list OutsideToVLAN102 permit tcp any host 10.10.2.120 eq 443
!
access-group OutsideToVLAN102 in interface outside

Hi, It seems that your actual

Jouni Forss — Wed, 23 Jul 2014 13:16:12 GMT

Hi,

It seems that your actual connectivity problem when adding new configurations is caused by changing the ACL attached to the "outside" interface.

Notice that you are creating 2 different ACLs but trying to attach them to the same interface "outside". The interface can only hold a single ACL for one direction so you would have to use the same ACL for controlling all traffic that is coming "in" from behind the "outside" interface. This is the reason why the first server stops working after adding configurations for another.

Though you still have problems related to the setup. You say you have tens of servers to setup yet you seem to have way fever public IP addresses correct? If this is true then you will quickly run out of public IP addresses that you can use for your servers. This is because of the earlier mentioned limitation of being able to forward a specific port for specific public IP address only to one internal host.

So in the end you would either have to use different public facing ports for some internal servers (like mapping public TCP port 81 to 80 , 82 to 80 for another server and so on) OR you would have to get more public IP addresses from the ISP to have one for each server. I guess one option would also be running the sites/services on single/fewer server(s) but I guess that is not possible.

- Jouni

Jouni,Can you give me an

Stephen Sisson — Wed, 23 Jul 2014 13:30:36 GMT

Jouni,

Can you give me an example for what I'm doing wrong by using the outside interface for all ACL attached to the outside interface, and what to do to fix this issue so we can add all the servers.

We have plenty of public IP's 250 available for this project, we only need one for each server, need only thirty for the HTTP/HTTPS websites, only need nine or so for the FTPS sites.

All HTTP sites will use port 80, all HTTPS sites will use 443, all FTPS will use ports 990 - 1099, others will use port 22

Please explain what I'm doing wrong and step-by-step what I need to do for allowing this on the 5520 running 9.0(3) IOS

Hi, You should configure a

Jouni Forss — Wed, 23 Jul 2014 14:42:58 GMT

Hi,

You should configure a single ACL and configure all the rules to it. You will then attach that single ACL to the "outside" interface to control all traffic from the Internet.

I think you should probably use Static NAT rather than Static PAT (Port Forward) since you will have to use a public IP address per server anyway.

In that case the configuration format for each server would be

object network SERVER-1
host <internal ip>
nat (inside,outside) static <public ip>

object network SERVER-2
host <internal ip>
nat (inside,outside) static <public ip>

and so on.

You could then configure the ACL to allow traffic to these 2 servers in the below way.

access-list OUTSIDE-IN remark Rules for Web servers
access-list OUTSIDE-IN permit tcp any object SERVER-1 eq http
access-list OUTSIDE-IN permit tcp any object SERVER-1 eq https
access-list OUTSIDE-IN permit tcp any object SERVER-2 eq http
access-list OUTSIDE-IN permit tcp any object SERVER-2 eq https

Naturally you can add as many statements as you need. There is also other options that achieve the same. You can for example group the services and server IP addresses to their own groups so you can get a small ACL configuration.

The command you need to use to attach the ACL to the interface is

access-group OUTSIDE-IN in interface outside

Notice that when you have inserted this "access-group" command once and want to add more rules to allow/deny traffic then you simply add the "access-list" lines but you will NOT have use the "access-group" command again because you have already attached the "outside" interface with the above command.

Hope this clarifies things.

- Jouni

Jouni you are the best, let

Stephen Sisson — Wed, 23 Jul 2014 14:51:05 GMT

Jouni you are the best, let me put this into our lab network.

Thank you for always helping us figure out what we have done wrong and for

showing the right way to make things work.

Thank you Sir

Hi, No problem :) Let me know

Jouni Forss — Wed, 23 Jul 2014 15:08:34 GMT

Hi,

No problem 🙂

Let me know how it goes after you have tested it in your lab.

- Jouni

Jouni,I'm only on the first

Stephen Sisson — Wed, 23 Jul 2014 16:58:28 GMT

Jouni,

I'm only on the first website but we see this working just like you said.

I left you a message to read at http://98.101.206.100

I can't thank you enough and would like to do something for you my friend.

Please name it - anything you need or want

Thanks again

Hi, Good to hear that its

Jouni Forss — Wed, 23 Jul 2014 17:17:38 GMT

Hi,

Good to hear that its working so far. 🙂 Thank you for the message, though I am not part of Cisco 🙂

Don't know if its really proper to ask anything from the help I give here and to be honest I would not know what to ask even. 🙂

I'm happy if the correct answer is marked (if I have given one)

- Jouni