Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
5
Replies

Access Web Server at Internet

Go to solution
Tang-Suan Tan
Level 1
Level 1

‎01-19-2012 06:56 PM - edited ‎03-11-2019 03:17 PM

Hi Jcarvaja all :

I have a doubt to confirm on below situation :

There is web server at the internet. The firewall ASA5505 is located at the inside edge of the edge router and the internet is at the outside edge router of the edge router. The router has already been configured can route the outside network of firewall to internet.

The information of the IP address is as below :

Inside edge of the edge router : 192.168.20.2/24

Outside Network of Firewall ASA5505 : 192.168.20.0/24 with security level of 20

Outside Interface of the Firewall ASA5505 : 192.168.20.1/24

DMZ Network of the Firewall ASA5505 : 192.168.50.0/24 with secutity level of 50

Host at the DMZ : 192.168.50.10/24 with defination with the name of DMZ_Host

Static Mapped address of the Host at the DMZ to Outside Network: 192.168.20.10/24

1. I have a host at the DMZ zone of firewall and if it wants to access this web server by http, the following command lines to be added to ASA5505 good enough and anything wrong with them?

access-list Outside_DMZ extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0 --> allow outside to access dmz

access-list Outside_DMZ exteneded permit tcp host Web_server host DMZ_Host eq 80 --> allow web server to access dmz host

static (dmz,outside) 192.168.20.10 192.168.50.10 netmask 255.255.255.255 --> static mapped the dmz host to outside mapped address

route outside 0.0.0.0 0.0.0.0 192.168.20.2  --> static route of dmz network to internet

access-group Outside_DMZ in interface Outside --> applied the access list to firewall outside interface

2.I have a doubt here that do I need to add any command line related to the Static Mapped address of 192.168.20.10/24 like below?

access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80

whereby the 192.168.20.10 is the static mapped address of the Host at the DMZ to Outside Nertwork. Or, any other command related with the Static Mapped address have to be added?

thanks and regards,

tangsuan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tang-Suan Tan

‎01-19-2012 08:34 PM

Hello Tang,

Not at all, as the ASA knows by his nat table that the ip address 192.168.20.10 is 192.168.50.10...

So as soon as the ASA receives a packet on the outside going to 20.10 it will know that it is intended to go to 50.10.

On this version you are running Nat is seeing after the ACL so you need to create the ACL pointing the public Ip address.

Rate helpful posts!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-19-2012 07:04 PM

Hello Tangsuan,

If you want to allow access from the outside server to the DMZ host on port 80 tcp( 192.168.50.10 nated on the outside to 192.168.20.10) you only need the following:

static (dmz,outside) 192.168.20.10 192.168.50.10

access-list Outside_DMZ exteneded permit tcp host Web_server host DMZ_Host eq 80

access-group Outside_DMZ in interface Outside


If you add the following:
access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80

It could be a security thread as you will be allowing connection to the server on the DMZ from any on the outside unless this is what you are looking for ( access the server from anywhere on the outside)

Regards,

Julio

Rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to Julio Carvajal

‎01-19-2012 08:02 PM

Hi Jcarvaja :

Thanks for your reply!

OK, I got the explanation of the thread, thanks!

I have doubt as below :

If below command :

access-list Outside_DMZ extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0

is not added in, can the Web_server still able to access to the DMZ_Host? This is because in my understanding that the Web_server with public IP address will only route to the outside network of the firewall by the edge router.

Is it a need to add the above command so that firewall can allow the routed IP of this Web_server to access to the DMZ-Host?

thanks and regards,

tangsuan

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tang-Suan Tan

‎01-19-2012 08:34 PM

Hello Tang,

Not at all, as the ASA knows by his nat table that the ip address 192.168.20.10 is 192.168.50.10...

So as soon as the ASA receives a packet on the outside going to 20.10 it will know that it is intended to go to 50.10.

On this version you are running Nat is seeing after the ACL so you need to create the ACL pointing the public Ip address.

Rate helpful posts!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to Julio Carvajal

‎01-19-2012 10:08 PM

Hi Jcarvaja :

Thanks for your answer.

You help a lot on all my questions.

This case will be closed as you already provided the correct answer.

regards,

tangsuan

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tang-Suan Tan

‎01-19-2012 10:50 PM

Hello Tang,

Not a problem! Just let me know if you have any other questions.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card