topic web server (linux) sits in the DMZ (asa 5520) in Network Security

web server (linux) sits in the DMZ (asa 5520)

Ibrahim Jamil — Mon, 11 Mar 2019 23:24:31 GMT

Hi Experts

I Have web server (linux) sits in the DMZ (asa 5520) segment and this server should be accessible form the internet,

1)how to make this server https based access over SSL

2)how to protect this server form network and security standpoint?

thanks

jamil

web server (linux) sits in the DMZ (asa 5520)

Karsten Iwen — Fri, 29 Jun 2012 07:15:39 GMT

The ASA doesn't care if it's HTTPS or anything else. You just allow tcp/443 on the outside ACL and add a static NAT for the server. Thats it. The Server is now protected that no other traffic is allowed to that server.

The ASA will not protect you from any harm thats coming through the HTTPS-connection. If you want your ASA to protect you from that, then you have to decrypt the traffic in front on the ASA i.e. with an SSL-Offloader. Or, the HTTPS is terminated in a seperate DMZ at a reverse-proxy, and that proxy sends HTTP to your real server in the original DMZ. Now the ASA can inspect the HTTP from the proxy to your webserver.

Another important control is that the ACL on the ASA only permits traffic that's really needed. For example only DNS and FTP/HTTP to the update-server.

For even more security, you could add the AIP-SSM for IPS. In the scenario with the reverse-proxy or the SSL-Offload the IPS can search the HTTP-Traffic for known attacks against your server.

web server (linux) sits in the DMZ (asa 5520)

Ibrahim Jamil — Fri, 29 Jun 2012 07:34:03 GMT

Hi karsten

thanks for ur reply

pls do u have a link which is similar to my case to start

thanks

web server (linux) sits in the DMZ (asa 5520)

Karsten Iwen — Fri, 29 Jun 2012 08:12:17 GMT

Thats the way to find this sort of documentation:

www.cisco.com/go/asa -> select "Configure" (on the right side under "Support"), then choose "Configuration Guides". Depending on your ASA-version and your ASDM/CLI-preference you find the complete documetation. In te guides go for access-control and NAT.

web server (linux) sits in the DMZ (asa 5520)

Ibrahim Jamil — Fri, 29 Jun 2012 08:17:46 GMT

i meant pdf similar to my case ,

web server (linux) sits in the DMZ (asa 5520)

Karsten Iwen — Sat, 30 Jun 2012 15:18:49 GMT

your case is nearly exactly described in the config guide. Both for NAT and ACLs. Just give it a try ...

web server (linux) sits in the DMZ (asa 5520)

gouravbathla — Tue, 03 Jul 2012 06:27:44 GMT

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b9b509.shtml

Here is the link for your reference.They are allowing port 25 from outside.And you want 443 this is the difference.

Hope this helps you.