Re: Making webserver on 8080 available to the outside on 80

ralf.rottmann · ‎05-15-2012

Hi there,

Sorry for "spamming" this forum but we're new to the ASA and really want to get the most out of it.

We're running three networks (inside, outside and dmz). Inside is 10.0.1.0/24, dmz is 10.0.2.0/24, outside is a static ip allocated by our ISP. We'd like to configure the following:

All traffic from the outside to [static provider ip] on port 80 should go to 10.0.2.200 port 8080.

What do we have to configure to do so?

Marvin Rhoads · ‎05-15-2012

I'd suggest using the wizards built into the ASA configuration GUI (ASDM). You will generally need 1. a NAT rule to translate your internal address to an external one and 2. an access-list rule to allow exteranlly initiated requests to come through the firewall.

ralf.rottmann · ‎05-15-2012

Marvin, could you possibly provide the command line commands for doing exactly this?

ralf.rottmann · ‎05-15-2012

Anybody? This is pretty urgent... we need to make the web server listening on port 8080 on the dmz network available to outside requests coming in on port 80 of the public IP address. Please, everything we tried failed so far.

varrao · ‎05-15-2012

Hi ralf,

Follow this:

object network provider_ip

host 1.1.1.1

object network private_ip

host 10.0.2.200

object service tcp_80

service tcp destination eq 80

object service tcp_8080

service tcp destination eq 8080

nat (outside,inside) source static any any destination static provider_ip private_ip service tcp_80 tcp_8080

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Marvin Rhoads · ‎05-15-2012

Varun,

His server is on DMZ. So NAT rule would need to be:

nat (outside,dmz) source static any any destination static provider_ip private_ip service tcp_80 tcp_8080

Do you agree?

He would also need an access list for the incoming traffic, yes?

r.rathore · ‎05-15-2012

Hi,

I think below link can hen help you better!!!

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Raj

ralf.rottmann · ‎05-15-2012

Thanks a lot, again!

The web server is not on the inside network but on the dmz. Can I just replace every occurrence of inside with dmz in the above?

Sent from Cisco Technical Support iPhone App

ralf.rottmann · ‎05-15-2012

Also, do we need any form of acl / firewall rule in addition the the above?

Sent from Cisco Technical Support iPhone App

varrao · ‎05-15-2012

Oooopss, sorry missed that...Thanks Marvin for the sharp eye , yes Ralf you would also need he access-list on outside interface, make sure you include the private ip of the server on that access-list and allow for port 8080.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

ralf.rottmann · ‎05-15-2012

Varun, would you mind giving me the exact command for the access list(s)? Really don't want to trial-and-error anymore...

Sent from Cisco Technical Support iPhone App

varrao · ‎05-15-2012

Now I am just assuming the name of the access-list on the outside interface, you can change it accordingly:

access-list outside_access_in permit tcp any host 10.0.2.200 eq 8080

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

ralf.rottmann · ‎05-15-2012

show access-list outputs the following. Is it safe to assume that I can just enter the above command exactly as it is?

gcxfw# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

varrao · ‎05-15-2012

Well if you dont have any access-list applied on the ASA then this is the complete syntax for it:

access-list outside_access_in permit tcp any host 10.0.2.200 eq 8080

access-group outside_access_in in interface outside

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

fb_webuser · ‎05-15-2012

Thanks,

---

Posted by WebUser Bmr Bahrawy from Cisco Support Community App