topic Re: asa 5510 multiple web servers in Network Security

asa 5510 multiple web servers

support.edm — Mon, 11 Mar 2019 13:10:47 GMT

ciscoasa(config)# sh run

: Saved

ASA Version 8.0(2)

hostname ciscoasa

enable password xxx

names

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.17 255.255.255.240

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.x.x.1 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

passwd xxx

ftp mode passive

clock timezone mst -6

access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list ping_reply extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnuserspool 192.168.10.101-192.168.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.193.0 255.255.255.0

access-group ping_reply in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.17.193.0 255.255.255.0 inside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set firstset esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set transform-set firstset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh 172.17.193.0 255.255.255.0 inside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 172.17.193.101-172.17.193.254 inside

dhcpd dns dns1 dns2 interface inside

dhcpd enable inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

Re: asa 5510 multiple web servers

support.edm — Tue, 08 Jul 2008 16:31:35 GMT

service-policy global_policy global

ntp server 67.212.67.78 source outside

group-policy vpnuserspolicy internal

group-policy vpnuserspolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value vpnuserspool

username admin password xxx encrypted privilege 15

username admin attributes

vpn-group-policy vpnuserspolicy

tunnel-group vpnusersgroup type remote-access

tunnel-group vpnusersgroup general-attributes

default-group-policy vpnuserspolicy

tunnel-group vpnusersgroup ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa(config)#

Re: asa 5510 multiple web servers

support.edm — Tue, 08 Jul 2008 16:33:55 GMT

I have a w2k3 server on the LAN that has 2 web sites running on it. Web1 is bound to 172.17.193.99 and Web2 is bound to 172.17.193.98. The outside interface of the ASA is on the x.x.x.16/28 network. The inside is on 172.17.193.0/24.

I did the following:

static (inside,outside) tcp interface 80 172.17.193.99 80 netmask 255.255.255.255

access-list web1_access permit tcp any host x.x.x.17 eq 80

access-group web1_access in interface outside

I could browse to web1 using http://x.x.x.17 which gets redirected to 172.17.193.99 web server.

How do I go about being able to browse to web2 from the internet using http://x.x.x.18 to point to 172.17.193.98 web server while at the same time retaining the ability to browse to web1?

Re: asa 5510 multiple web servers

ray_stone — Tue, 08 Jul 2008 19:09:35 GMT

Do u have a single public IP or u have more?

Re: asa 5510 multiple web servers

a.alekseev — Tue, 08 Jul 2008 19:57:14 GMT

you should have two static

one for 172.17.193.99

another for 172.17.193.98

if you have single ip you can use different ports

static (inside,outside) tcp interface 80 172.17.193.99 80 netmask 255.255.255.255

static (inside,outside) tcp interface 81 172.17.193.98 80 netmask 255.255.255.255

P.S. rate a post if it was useful

Re: asa 5510 multiple web servers

support.edm — Tue, 08 Jul 2008 20:15:16 GMT

We get .17 to .29

.16 network id

.30 broadcast address

255.255.255.240 (/28)

Re: asa 5510 multiple web servers

support.edm — Tue, 08 Jul 2008 20:16:53 GMT

"static (inside,outside) tcp interface 81 172.17.193.98 80 netmask 255.255.255.255 "

Does that mean ppl on the internet have to put in "http://x.x.x.17:81" in their browser to access web2 server?????

Re: asa 5510 multiple web servers

a.alekseev — Tue, 08 Jul 2008 20:21:28 GMT

yes,

or you need yet another public ip.

Re: asa 5510 multiple web servers

support.edm — Tue, 08 Jul 2008 20:39:08 GMT

as i've indicated we are allocated public internet address of .17 to .29 by the ISP.

I want .17 to point to the 172.17.193.99 web server and .18 to point to the 172.17.193.98 web server.

Re: asa 5510 multiple web servers

Alan Huseyin Kayahan — Tue, 08 Jul 2008 20:42:34 GMT

If it is feasible for you on usage/utilization and resource basis, you also can migrate the web service from server 2 to server 1, then configure host headers to run 2 different web services behind 1 public IP.

Regards

Re: asa 5510 multiple web servers

Alan Huseyin Kayahan — Tue, 08 Jul 2008 20:45:47 GMT

"I want .17 to point to the 172.17.193.99 web server and .18 to point to the 172.17.193.98 web server"

Then all you have to do is creating another static statement,

static (inside,outside) tcp x.x.x.18 80 172.17.193.98 80 netmask 255.255.255.255

access-list web1_access permit tcp any host x.x.x.18 eq 80

Regards

Re: asa 5510 multiple web servers

support.edm — Thu, 10 Jul 2008 17:44:58 GMT

I did this:

access-list inbound_on_outside extended permit tcp any host x.x.x.17 eq www

access-list inbound_on_outside extended permit tcp any host x.x.x.18 eq www

access-list inbound_on_outside extended permit tcp any host x.x.x.19 eq www

static (inside,outside) tcp interface www 172.17.193.99 www netmask 255.255.255.255

static (inside,outside) tcp x.x.x.18 www 172.17.193.98 www netmask 255.255.255.255

static (inside,outside) tcp x.x.x.19 www 172.17.193.97 www netmask 255.255.255.255

access-group inbound_on_outside in interface outside

Works fine for 3 test websites.

Curious...any reason why

"static (inside,outside) tcp interface www 172.17.193.99 www netmask 255.255.255.255"

can't be

"static (inside,outside) tcp x.x.x.17 www 172.17.193.99 www netmask 255.255.255.255"

to keep things consistent?

Re: asa 5510 multiple web servers

Alan Huseyin Kayahan — Thu, 10 Jul 2008 20:27:47 GMT

This is actually for "securing" the Ip address of interfaces which are crutial for overall routing processes from misuse. It is easy to get confused and create a one to one static for the outside IP address which will halt the the overall operation. You supposed to be careful when you use an "interface" statement rather than the IP address. But I have seen a very few configurations which actually operates without interface command.