topic Accessing webserver behind an ASA 5505 (newbie) in Network Security

Accessing webserver behind an ASA 5505 (newbie)

kcaporaso — Mon, 11 Mar 2019 11:10:57 GMT

Hi,

I have not been able to figure out how to setup PAT/ACLs or anything else to get an outside web browser to hit my webserver.

Setup:

cable modem -> ASA 5505 -> PC

-> webserver

I'd like everyone on the outside to be able to hit the webserver. I've tried all kinds of different security policies with no luck.

I must not understand the policies and NAT/PAT stuff very well.

Coming from an old Linksys router you told it what port to watch for and then forward it to a host on the inside. The ASA seems MUCH more complicated than that...

Public IP: 1.1.1.1

Inside IP: 192.168.1.1

Look for the general rules that set this access up. I'll try to use the CLI if you can show the actual commands, otherwise I'm fumbling around in the GUI.

Any help would be appreciated.

Re: Accessing webserver behind an ASA 5505 (newbie)

acomiskey — Thu, 13 Sep 2007 19:17:29 GMT

It's more complicated for good reason.

In it's simplest form, these commands will do the trick.

static (inside,outside) interface netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq 80

access-group outside_access_in in interface outside

This is if you are using the outside interface ip of your ASA to access the webserver.

You can also do this which would allow you to use the outside interface ip for other services to other servers...

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

Re: Accessing webserver behind an ASA 5505 (newbie)

Jon Marshall — Thu, 13 Sep 2007 19:20:02 GMT

What is the private IP address of the web server and what is the public IP address you want to present it as eg.

if private IP = 192.168.5.1

public IP = 217.22.1.10

then config would be

static (inside,outside) 217.22.1.10 192.168.5.1 netmask 255.255.255.255

access-list acl_inbound permit tcp any host 217.22.1.10 eq 80

access-group acl_inbound in interface outside

HTH

Jon

Re: Accessing webserver behind an ASA 5505 (newbie)

kcaporaso — Thu, 13 Sep 2007 19:26:12 GMT

Thank you!

I see where I went wrong... I was setting the source port to 80.

Re: Accessing webserver behind an ASA 5505 (newbie)

hsajwan — Thu, 13 Sep 2007 19:29:17 GMT

Here are the commands:

static (inside,outside) 1.1.1.1 192.168.1.1

access-list aclout permit tcp any host 1.1.1.1 eq 80

access-group aclout in interface outside

In case 1.1.1.1 is the IP address of the outside interface of ASA, then here are the commands:

static (inside,outside) tcp interface 80 192.168.1.1 80

access-list aclout permit tcp any interface outside eq 80

access-group aclout in interface outside