cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

104
Views
0
Helpful
6
Replies
Highlighted
Beginner

Allow access from internet to my inside local server

Hi ;

i have 2 interface in my cisco ASA Version 9.1(1)

interface GigabitEthernet0/0

description  Internet Circuit

nameif Internet

security-level 0

ip address X.X.X.X  255.255.255.252

interface GigabitEthernet0/1

description DATA VLAN

nameif DATA-LAN

security-level 100

ip address 10.110.0.1 255.255.255.0

i would let users in the internet and inside in the same subnet  to have access to my server ip address 10.110 .0 .13 255.255.255.0  only http .

object network 10.110.0.0
subnet 10.110.0.0 255.255.255.0
description DATA LAN

i create object network but i didn't know what to do static nat or dynamic nat , if someone please have document that show all the step to do this configuration  can help me , i m new in configuration firewall security .

thank you 

6 REPLIES 6
Highlighted
Beginner

Hi S,

Hi S,

There are many config guides and examples on the Internet and google will be your best friend here.

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

So to answer your question:

Challenge: You want users from inside and internet to access a server on the inside:

Lets do the inside 1st. Because both the server and users are both on the inside you need not do anything.

For the outside (Internet) to access the internal server you would need to allocate a public routable IP address or make use of port forwarding using the Internet interface.

Port forwarding config would be something like:

=====begin config snippet=====

object network www_server
 host 10.110.0.13
 nat (DATA-LAN,Internet) static interface service tcp 80 80

access-list outside_access_in extended permit tcp any object www_server eq 80

access-group outside_access_in in interface Internet

=====end config snippet=====

If you send public IP I can change to suite that as well...

Good luck

JC

Highlighted
Beginner

Hi  Icockburn ;

Hi  Icockburn ;

i hop you are doing good , yes i would like to send Public IP address , please can you show me how to do the configuration , because i m new in configuration cisco ASA firewall .

thank you 

Highlighted
Beginner

To create ACL  to allow

To create ACL  to allow  internet host  access your internal server for example server ip 10.110.0.100 only http

Access-list  :

#access-list ALLOW_OUT_IN extended tcp any host 10.110.0.100 eq www 

#access-group ALLOW_OUT_IN in interface Internet

 option : 1  Static NAT : if you have public IP address

#object network INSIDE_IP_SERVER

#host 10.110.0.100

#nat (DATA VLAN,Internet) static XX.XX.XX ( ie Internet IP).

 option : 2 TWICE NAT 

#object service HTTP_Service

#service tcp destination http

#object network INSIDE_IP_SERVER

#host 10.110.0.100

#nat ( inside,outside)source static  INSIDE_IP_SERVER interface service HTTP_Service HTTP_Service

                  

Highlighted
Beginner

Hi ;

Hi ;

after i did :

Access-list  :

#access-list ALLOW_OUT_IN extended permit tcp any object OwnCloud  eq www 

#access-group ALLOW_OUT_IN in interface Internet

#object service HTTP_Service

#service tcp destination http

#object network OwnCloud

#host 10.110.0.100

#nat ( inside,outside)source static  OwnCloud interface service HTTP_Service HTTP_Service

when i try to do packtracer  :

Config

nat (inside,Internet) source dynamic 10.110.0.0 interface

Action: drop 

Drop-reason: (acl-drop) Flow is denied by configured rule

can you plase  help me to solve that problem .

Highlighted
Beginner

Hi S,

Hi S,

For me it looks like you have your interface names misconfigured...

From what I can gather from the config you need to change the nat statement to:

nat ( inside,Internet) source static  OwnCloud interface service HTTP_Service HTTP_Service

Change in red

From your config I cannot gather it the 'inside' is the correct interface name for the more secure interface...But it looks like the 'OUTSIDE' interface in your case is named 'Internet'

Good luck

Ciao

JC

Highlighted
Beginner

i m sorry it was mistake 

i m sorry it was mistake 

Config

nat (inside,outside) source dynamic 10.110.0.0 interface