Can't access my webserver behind ASA 5520 8.4(2)

Sandile Mazamane · ‎12-13-2012

How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing, can anyone help.

Jouni Forss · ‎12-13-2012

Hi,

If I understood you correctly you only have 1 public IP address which is on your ASA outside interface?

If this is correct, then only way you can publish some services to Internet is to do Port Forward NAT configurations

Heres one example

I use the following base information

Public interface IP address = 53.1.1.1
Local server IP address = 192.168.1.80
OUTSIDE inteface nameif = outside
DMZ interface nameif = dmz
OUTSIDE ACL name = OUTSIDE-IN
Service to be opened from Internet = HTTP = TCP/80

object network WEB-SERVER-PORTFORWARD

host 192.168.1.80

nat (dmz,outside) static 53.1.1.1 service tcp www www

access-list OUTSIDE-IN permit tcp any object WEB-SERVER-PORTFORWARD eq 80

access-group OUTSIDE-IN in interface outside

The "access-group" command is only needed if you have no previous ACL connected to the "outside" interface. You can confirm attached ACLs from the CLI using the command "show run access-group"

Just replace the above information I used in my configuration to match your actual information and put the configurations on the ASA and test the connections.

If this is something you werent looking for, please clarify the situation further.

- Jouni

Sandile Mazamane · ‎12-13-2012

Thanx JouniForss

I misssed this this line on my configuration "access-list OUTSIDE-IN permit tcp any object WEB-SERVER-PORTFORWARD eq 80"

but I'm still having a small small issue, when call for my page e.g. http:\\53.1.1.1\index.php it takes ages, but when I specify http:\\53.1.1.1:80\index.php it works like Mandela.

I'm not sure if it has anything to do with my web server port config or my ASA firewall ACL's or something.

Jouni Forss · ‎12-13-2012

Hi,

I dont see that that the url you enter are any different with regards the ASA

With the above configuration we simply forward traffic for port TCP/80 (53.x.x.x) to the same port TCP/80 (192.168.x.x) on the LAN server. No other destination ports should even be reachable.

I guess you can always check logs (probably easiest through ASDM Logging Monitor) while attempting connection or take traffic capture from the ASA to see what traffic is coming and going and especially when.

Please rate if the information has been helpfull and ask if you have more questions for example related to configuring the capture etc.

- Jouni

YANNICK NGOY · ‎06-22-2014

Hi guys, I have a same issue, I have configured static nat on my ASA 8.4 in order to access a webserver in the DMZ zone, while accessing my webserver in DMZ zone from the internet through any nagivator (internet explorer, mozila, etc...) it gets ages to respond! but when I tried to curl the page from a command prompt or if I try to telnet the webserver on port 80, it works! is anyone can help me please? I am not able to see the webpage from the navigator

Public address 35.xxx.xxx.xx

Private IP 192.168.10.x

Nat configuration

Object network ONE-WEB-SERVER-INTERNAL

host 192.168.10.x

Object network ONE-WEB-SERVER-PUB

host 35.203.57.x

nat (IF-VLAN170-DMZ,IF-outside-backup) 1 source static ONE-WEB-SERVER-INTERNAL ONE-WEB-SERVER-PUB

The webpage doesn't show up!

but can be accessible through command line over telnet on port 80 or using curl command in linux.

Pleas help.