topic Re: ASA DMZ Server access in Network Security

ASA DMZ Server access

umeshunited — Fri, 21 Feb 2020 17:28:08 GMT

Hi,

If I have one DMZ webserver ( on port 443) in my environment and I want it to use outside interface for PAT.

object network DMZ_SERVER_PRIVATE

host 172.16.1.10

nat (dmz, outside) static interface service tcp https https

Now, I also have https/ASDM access enabled for ASA ( to the box traffic).

When someone tries to connect to my outside IP on 443 how my firewall will know if he's trying to access ASA/ASDM (to the box traffic) or internal WEB server(through the box traffic)?

Thanks.

Re: ASA DMZ Server access

ssambourg — Fri, 06 Sep 2019 08:20:10 GMT

Hi,

Enable the HTTPS server to listen on a different port in order to change the configuration that is related to the ASDM service on the ASA, as shown here:

ASA(config)#http server enable <1-65535>

configure mode commands/options:
  <1-65535>  The management server's SSL listening port. TCP port 443 is the
             default.

Here is an example:

ASA(config)#http server enable 65000

After you change the default port configuration, use this format in order to launch the ASDM from a supported web browser on the security appliance network:
```
https://interface_ip_address:<customized port number>
```

Don't forget to permit your public IP to access ASDM with this CLI :

http [your public IP] 255.255.255.255 outside
! or all public IP :
http 0.0.0.0 0.0.0.0 outside

HTH

Re: ASA DMZ Server access

umeshunited — Fri, 06 Sep 2019 14:10:39 GMT

Hi,

Thank you for your reply.

But the thing is that I implemented this in GNS and it showed that it directed that connection to DMZ server.

Why the firewall did not consider it as to the box traffic?

WEB_PRIV----- (dmz) [ASA](outside)----- outside router

I have trimmed the output to show only relevant info.

ciscoasa# show run http
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside

ciscoasa# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 20.0.0.1 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 10.0.0.1 255.255.255.0 CONFIG
GigabitEthernet0/2 dmz 172.16.0.1 255.255.255.0 CONFIG

ciscoasa# sho run object
object network WEB_PRIV
host 172.16.0.5

ciscoasa# show run nat
!
object network WEB_PRIV
nat (dmz,outside) static interface service tcp https https

ciscoasa# show run access-list

access-list OUTSIDE_IN extended permit tcp any object WEB_PRIV eq https

outside_router#telnet 20.0.0.1 443
Trying 20.0.0.1, 443 ... Open

WEB_PRIV#show tcp brief
TCB Local Address Foreign Address (state)
65496C80 172.16.0.5.443 20.0.0.10.29126 ESTAB