Allow access from internet to my inside local server

sultantzahir · ‎10-22-2016

Hi ;

i have 2 interface in my cisco ASA Version 9.1(1)

interface GigabitEthernet0/0

description Internet Circuit

nameif Internet

security-level 0

ip address X.X.X.X 255.255.255.252

interface GigabitEthernet0/1

description DATA VLAN

nameif DATA-LAN

security-level 100

ip address 10.110.0.1 255.255.255.0

i would let users in the internet and inside in the same subnet to have access to my server ip address 10.110 .0 .13 255.255.255.0 only http .

object network 10.110.0.0
subnet 10.110.0.0 255.255.255.0
description DATA LAN

i create object network but i didn't know what to do static nat or dynamic nat , if someone please have document that show all the step to do this configuration can help me , i m new in configuration firewall security .

thank you

jcockburn · ‎10-24-2016

Hi S,

There are many config guides and examples on the Internet and google will be your best friend here.

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

So to answer your question:

Challenge: You want users from inside and internet to access a server on the inside:

Lets do the inside 1st. Because both the server and users are both on the inside you need not do anything.

For the outside (Internet) to access the internal server you would need to allocate a public routable IP address or make use of port forwarding using the Internet interface.

Port forwarding config would be something like:

=====begin config snippet=====

object network www_server
host 10.110.0.13
nat (DATA-LAN,Internet) static interface service tcp 80 80

access-list outside_access_in extended permit tcp any object www_server eq 80

access-group outside_access_in in interface Internet

=====end config snippet=====

If you send public IP I can change to suite that as well...

Good luck

JC

sultantzahir · ‎10-24-2016

Hi Icockburn ;

i hop you are doing good , yes i would like to send Public IP address , please can you show me how to do the configuration , because i m new in configuration cisco ASA firewall .

thank you

MANI .P · ‎10-27-2016

To create ACL to allow internet host access your internal server for example server ip 10.110.0.100 only http

Access-list :

#access-list ALLOW_OUT_IN extended tcp any host 10.110.0.100 eq www

#access-group ALLOW_OUT_IN in interface Internet

option : 1 Static NAT : if you have public IP address

#object network INSIDE_IP_SERVER

#host 10.110.0.100

#nat (DATA VLAN,Internet) static XX.XX.XX ( ie Internet IP).

option : 2 TWICE NAT

#object service HTTP_Service

#service tcp destination http

#object network INSIDE_IP_SERVER

#host 10.110.0.100

#nat ( inside,outside)source static INSIDE_IP_SERVER interface service HTTP_Service HTTP_Service

sultantzahir · ‎11-02-2016

Hi ;

after i did :

Access-list :

#access-list ALLOW_OUT_IN extended permit tcp any object OwnCloud eq www

#access-group ALLOW_OUT_IN in interface Internet

#object service HTTP_Service

#service tcp destination http

#object network OwnCloud

#host 10.110.0.100

#nat ( inside,outside)source static OwnCloud interface service HTTP_Service HTTP_Service

when i try to do packtracer :

Config

nat (inside,Internet) source dynamic 10.110.0.0 interface

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

can you plase help me to solve that problem .

jcockburn · ‎11-03-2016

Hi S,

For me it looks like you have your interface names misconfigured...

From what I can gather from the config you need to change the nat statement to:

nat ( inside,Internet) source static OwnCloud interface service HTTP_Service HTTP_Service

Change in red

From your config I cannot gather it the 'inside' is the correct interface name for the more secure interface...But it looks like the 'OUTSIDE' interface in your case is named 'Internet'

Good luck

Ciao

JC

sultantzahir · ‎11-03-2016

i m sorry it was mistake

Config

nat (inside,outside) source dynamic 10.110.0.0 interface