cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7861
Views
0
Helpful
7
Replies

ASA 5505 using NAT allowing incoming traffic on HTTPS

mattatkin
Level 1
Level 1

Hi All,

I have a 5505 and the following network layout:

Home router => ASA 5505 => HTTPS webserver

The home router is on 192.168.0.1

ASA 5505 external 192.168.0.19

ASA Internal 192.168.1.1

HTTPS webserver 192.168.1.14

I need the ASA to allow only HTTPS traffic inbound through it.

Thanks for any help you can offer.

1 Accepted Solution

Accepted Solutions

Hi,

It should work but make sure you did this first

Create the "object" that holds the real IP address of the server and the NAT configuration

object network HTTPS-WEBSERVER

While under the "object" configuration mode add the real IP address and the NAT configuration line

host 192.168.1.14

nat (inside,outside) static interface service tcp 443 443

And then make sure to configure the ACL/Access-list that allows the traffic to the Web server

access-list OUTSIDE-IN remark Allow HTTPS traffic to the Web Server

access-list OUTSIDE-IN permit tcp any object HTTPS-WEBSERVER eq 443

access-group OUTSIDE-IN in interface outside

- Jouni

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Couple of things you want to check/configure first

  • Configure the ASAs "outside" interface with a static IP address instead of DHCP so the IP address doesnt change and therefore prevent the NAT from working
  • Remember that you will have to forward the port TCP/443 also on the Home Router since it has the public IP address to which people should connect to

The Port Forward / Static PAT configuration on your ASA would be

object network HTTPS-WEBSERVER

host 192.168.1.14

nat (inside,outside) static interface service tcp 443 443

access-list OUTSIDE-IN remark Allow HTTPS traffic to the Web Server

access-list OUTSIDE-IN permit tcp any object HTTPS-WEBSERVER eq 443

access-group OUTSIDE-IN in interface outside

The above configuration will forward the TCP/443 connections coming towards your ASA "outside" interface IP address to the "inside" IP address of the Web server.

As I said you will have to both configure the ASA "outside" IP address staticly so it doesnt change (which would make the NAT useless naturally) and you will also have to do a Port Forward / Static PAT configuration on the Home Router. You will basically need to forward the port TCP/443 coming to your Home Router public IP address to the ASA "outside" interface IP address on port TCP/443

Hope this helps

Please remember to mark the question as answered if it did. Or ask more if needed

- Jouni

Thanks JouniForss, when I try to configure the external interface with an IP address or security level (ethernet 0/0) I get the error This command can only be configured on VLAN interfaces.

-M

Hi,

Yes, the only interface where you configure IP address information on your ASA5505 is the Vlan interface.

At the moment your ASA "outside" interface is the interface Vlan2

You would have to configure the IP address in this way

interface Vlan2

ip address 192.168.0.x 255.255.255.0

Notice that this will naturally can cause a small outage in connections through the ASA.

Also make sure that the network mask I entered above is correct and choose the IP address you want instead of the "x" at the end of the IP address. This IP address should be in turn used on the Home Router as the IP address towards which you need to do the Port Forward on the Home Router.

- Jouni

OK, I put the 192.168.0.19 on the Vlan 2, (which I think logically works).

Then when I tried to do the NAT mapping I got this error

ciscoasa(config)# nat (inside,outside) static interface service tcp 443 443

                                        ^

ERROR: % Invalid input detected at '^' marker.

Hi,

It should work but make sure you did this first

Create the "object" that holds the real IP address of the server and the NAT configuration

object network HTTPS-WEBSERVER

While under the "object" configuration mode add the real IP address and the NAT configuration line

host 192.168.1.14

nat (inside,outside) static interface service tcp 443 443

And then make sure to configure the ACL/Access-list that allows the traffic to the Web server

access-list OUTSIDE-IN remark Allow HTTPS traffic to the Web Server

access-list OUTSIDE-IN permit tcp any object HTTPS-WEBSERVER eq 443

access-group OUTSIDE-IN in interface outside

- Jouni

Thanks working just great!

Hi,

Glad its working now

- Jouni

Review Cisco Networking for a $25 gift card