Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
935
Views
0
Helpful
2
Replies

Putting Servers behind ASA5505

Dmitry Golovenkin
Level 1
Level 1

‎01-26-2012 03:31 AM - edited ‎03-11-2019 03:19 PM

Hi there,

I am in the process of adding a lot of servers to sit behind our new ASA 5505 (8.4) firewall. At the moment I have added 2 servers and they are both NAT'ed to 2 different public IPs.

Server 1     192.168.10.1 -> 80.*.*.1

Server 2     192.168.10.111 -> 80.*.*.6

The first server can only be RDP'ed in to using its public IP which is what I want it to do. The second one has most of the service ports open like 443, 80, 110, 25 and etc. However when I try and browse externally to https://remote.domain.com/exchange I get an "

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error." in Google Chrome or any other browser. and the ASA reports:



11:27:30
192.168.10.111262680.*.*.6443Inbound TCP connection denied from 192.168.10.111/2626 to 80.*.*.6/443 flags SYN  on interface inside

and I also get a Land to Land attack detected from 80.*.*.6 to 80.*.*.6

Any ideas?

Is it worth setting up a DMZ or can I get away with the setup I have?

Labels:
0 Helpful
2 Replies 2

andrelorenz
Level 1
Level 1

‎01-26-2012 06:55 AM

Hello Dmitry,

lets start with your second question, regarding the DMZ setup.

it is generall a good idea to move exposed servers, like webmail (in your case exchange), into a DMZ.

now to your first question.

there some changes between 8.3 and 8.4 regarding opening ports.

u might have to create the network-objects.

the right rules might be looking simmilar to this:

object networkWEBSERVER

     host 192.168.....

access-list WAN1_access_in extended permit tcp any any eq https log .....

object network WEBMAIL

nat (DMZ,WAN1) static PUBLIC_IP service tcp https https

hope this helps you a litte bit.

there are some aditional information on the website.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp110236

regards

andre

0 Helpful

Dmitry Golovenkin
Level 1
Level 1
In response to andrelorenz

‎01-26-2012 06:58 AM

Well to be honest, all the devices behind the firewall are servers and not a single pc.

I have already done what you have suggested and I can RDP in to the server and browse the web from it but cannot access https pages on the server.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card