topic Re: www server behind ASA 5505 in Network Security

www server behind ASA 5505

altziebler — Fri, 21 Feb 2020 09:46:24 GMT

Hello Community,

I have a ASA 5505 with default setup, 2 VLANs. On the inside I have a DNS, IIS, SQL server. I am desperate for some help to get the www server accessible from the public. I am not using a DMZ. Got tips for me? Many thanks in advance. - Jurgen

Re: www server behind ASA 5505

acomiskey — Tue, 06 Nov 2007 17:52:57 GMT

Without any other details, this is one way to do it, if webserver is 192.168.1.10...

static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

Re: www server behind ASA 5505

altziebler — Tue, 06 Nov 2007 18:01:36 GMT

Hi, thanks for your help.

Outside I have a static IP. Inside www server is at 192.168.1.35 (your guess was close).

I set DHCP server starting at 192.168.1.100

To make it work I would changes settings in NAT?

Re: www server behind ASA 5505

acomiskey — Tue, 06 Nov 2007 18:06:29 GMT

In that case if your static ip is 1.1.1.1 and server is 192.168.1.35 then...

static (inside,outside) tcp 1.1.1.1 80 192.168.1.35 80 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 80

access-group outside_access_in in interface outside

static (inside,outside) 1.1.1.1 192.168.1.35 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 80

access-group outside_access_in in interface outside

Is that what you were asking?

Re: www server behind ASA 5505

altziebler — Tue, 06 Nov 2007 18:08:32 GMT

one more, first I wasn't able to get online behind the firewall. I had to go into 'Routing' and add a new entry in 'static routing'

Interface: outside

IP 0.0.0.0

Mask 0.0.0.0

Gateway IP - ISP Gateway IP

Metric 1

Re: www server behind ASA 5505

acomiskey — Tue, 06 Nov 2007 18:11:37 GMT

Yes, that defines your defaut gateway.

route outside 0.0.0.0 0.0.0.0 isp.gateway.ip

Please rate helpful posts.

Re: www server behind ASA 5505

altziebler — Tue, 06 Nov 2007 18:25:04 GMT

Is there a document somwhere that describes the steps a bit more in detail? Like what to do in NAT and Security Policy. The manual that came with the ASA describes setting up a DMZ, etc.

Re: www server behind ASA 5505

acomiskey — Tue, 06 Nov 2007 18:28:57 GMT

Try this...

http://cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Re: www server behind ASA 5505

altziebler — Tue, 06 Nov 2007 18:50:46 GMT

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml

this one looks promising but its command line stuff. Uff.

Re: www server behind ASA 5505

altziebler — Tue, 06 Nov 2007 21:14:49 GMT

I added a new access rule in "Security Policy" under Outside. source: any, destination 192.168.1.35, services: http, action: permit. Under NAT a new Outside. type: static, Source: ISP IP http, Destination: any, interface: inside, address: 192.168.1.35 http, DNS rewrite NO.

no luck so far. oje

Re: www server behind ASA 5505

acomiskey — Tue, 06 Nov 2007 21:16:31 GMT

Destination would not be 192.168.1.35. It would be the public ip address you are using.

If you can post the config, I'll be able to show you what it should look like.

Re: www server behind ASA 5505

altziebler — Tue, 06 Nov 2007 21:27:22 GMT

my pleasure!

Result of the command: "show running-config"

: Saved

ASA Version 7.2(2)

hostname ciscoasa

domain-name default.domain.invalid

enable password PASSWORDXYZ encrypted

names

name 192.168.1.20 SERVER1 description DNS

name 192.168.1.35 SERVER2 description IIS

name 192.168.1.40 SERVER3 description SQL

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 70.x.x.246 255.255.255.224

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp SERVER2 www 70.164.46.224 www netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 70.164.46.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns SERVER1 192.168.1.22 interface inside

dhcpd domain alt74.local interface inside

dhcpd enable inside

dhcpd dns 68.x.x.30 68.10.16.30 interface outside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Re: www server behind ASA 5505

acomiskey — Tue, 06 Nov 2007 22:38:17 GMT

Ok, you're missing the access list. It should be...

access-list outside_access_in extended permit tcp any host 70.164.46.224 eq www

access-group outside_access_in in interface outside

Re: www server behind ASA 5505

altziebler — Tue, 06 Nov 2007 23:53:51 GMT

ok, great. I am getting closer! 🙂

I can do that via ASDM in the Security Policy settings? or can I do via command line in some way?

Re: www server behind ASA 5505

altziebler — Wed, 07 Nov 2007 18:18:56 GMT

sorry, but I have a hard time adding

the access list in Security Policy settings.

Can you give me a hint? Thanks!!

Re: www server behind ASA 5505

altziebler — Wed, 07 Nov 2007 20:29:13 GMT

so I went into Security Settings added a new Access Rule. interface: outside, direction: incoming, type: any, destination IP 70.164.46.224, protocol TCP, source: any, destination port: http

still cant access my ISS server, ASDM syslog says TCP access denied by ACL from 192.168.1.107

Re: www server behind ASA 5505

acomiskey — Wed, 07 Nov 2007 20:39:03 GMT

So you're trying http://70.164.46.224 from the inside?

Could you post the new config?

Re: www server behind ASA 5505

altziebler — Wed, 07 Nov 2007 20:48:31 GMT

Thanks so much for your help!

I can't access from the outside (real outside) or inside

Result of the command: "show running-config"

: Saved

ASA Version 7.2(2)

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

name 192.168.1.20 SERVER1 description DNS

name 192.168.1.35 SERVER2 description IIS

name 192.168.1.40 SERVER3 description SQL

name 192.168.1.10 AppleAirport description WiFi

name 192.1.168.30 SERVER2-2 description IIS Ethernet 100

interface Vlan1

description ALT74 LAN

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description COX

nameif outside

security-level 0

ip address 70.x.x.246 255.255.255.224

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any 70.x.x.224 255.255.255.224 eq www

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp SERVER2 www 70.164.46.224 www netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 70.164.46.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns SERVER1 192.168.1.22 interface inside

dhcpd domain alt74.local interface inside

dhcpd enable inside

dhcpd dns 68.100.16.30 68.10.16.30 interface outside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Re: www server behind ASA 5505

acomiskey — Wed, 07 Nov 2007 20:52:35 GMT

access-list outside_access_in extended permit tcp any 70.164.46.224 255.255.255.224 eq www

should be......

access-list outside_access_in extended permit tcp any 70.164.46.224 255.255.255.255 eq www

access-list outside_access_in extended permit tcp any host 70.164.46.224 eq www

Re: www server behind ASA 5505

altziebler — Wed, 07 Nov 2007 21:25:19 GMT

just did that 🙂

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any host 70.164.46.224 eq www

uff! for some reason it doesn't work