12-13-2012 12:50 AM - edited 03-11-2019 05:36 PM
How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing, can anyone help.
12-13-2012 12:58 AM
Hi,
If I understood you correctly you only have 1 public IP address which is on your ASA outside interface?
If this is correct, then only way you can publish some services to Internet is to do Port Forward NAT configurations
Heres one example
I use the following base information
object network WEB-SERVER-PORTFORWARD
host 192.168.1.80
nat (dmz,outside) static 53.1.1.1 service tcp www www
access-list OUTSIDE-IN permit tcp any object WEB-SERVER-PORTFORWARD eq 80
access-group OUTSIDE-IN in interface outside
The "access-group" command is only needed if you have no previous ACL connected to the "outside" interface. You can confirm attached ACLs from the CLI using the command "show run access-group"
Just replace the above information I used in my configuration to match your actual information and put the configurations on the ASA and test the connections.
If this is something you werent looking for, please clarify the situation further.
- Jouni
12-13-2012 02:36 AM
Thanx JouniForss
I misssed this this line on my configuration "access-list OUTSIDE-IN permit tcp any object WEB-SERVER-PORTFORWARD eq 80"
but I'm still having a small small issue, when call for my page e.g. http:\\53.1.1.1\index.php it takes ages, but when I specify http:\\53.1.1.1:80\index.php it works like Mandela.
I'm not sure if it has anything to do with my web server port config or my ASA firewall ACL's or something.
12-13-2012 03:22 AM
Hi,
I dont see that that the url you enter are any different with regards the ASA
With the above configuration we simply forward traffic for port TCP/80 (53.x.x.x) to the same port TCP/80 (192.168.x.x) on the LAN server. No other destination ports should even be reachable.
I guess you can always check logs (probably easiest through ASDM Logging Monitor) while attempting connection or take traffic capture from the ASA to see what traffic is coming and going and especially when.
Please rate if the information has been helpfull and ask if you have more questions for example related to configuring the capture etc.
- Jouni
06-22-2014 11:21 PM
Hi guys, I have a same issue, I have configured static nat on my ASA 8.4 in order to access a webserver in the DMZ zone, while accessing my webserver in DMZ zone from the internet through any nagivator (internet explorer, mozila, etc...) it gets ages to respond! but when I tried to curl the page from a command prompt or if I try to telnet the webserver on port 80, it works! is anyone can help me please? I am not able to see the webpage from the navigator
Public address 35.xxx.xxx.xx
Private IP 192.168.10.x
Nat configuration
Object network ONE-WEB-SERVER-INTERNAL
host 192.168.10.x
Object network ONE-WEB-SERVER-PUB
host 35.203.57.x
nat (IF-VLAN170-DMZ,IF-outside-backup) 1 source static ONE-WEB-SERVER-INTERNAL ONE-WEB-SERVER-PUB
The webpage doesn't show up!
but can be accessible through command line over telnet on port 80 or using curl command in linux.
Pleas help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide