05-03-2013 08:44 AM - edited 03-11-2019 06:38 PM
Hi All,
I have a 5505 and the following network layout:
Home router => ASA 5505 => HTTPS webserver
The home router is on 192.168.0.1
ASA 5505 external 192.168.0.19
ASA Internal 192.168.1.1
HTTPS webserver 192.168.1.14
I need the ASA to allow only HTTPS traffic inbound through it.
Thanks for any help you can offer.
Solved! Go to Solution.
05-03-2013 09:18 AM
Hi,
It should work but make sure you did this first
Create the "object" that holds the real IP address of the server and the NAT configuration
object network HTTPS-WEBSERVER
While under the "object" configuration mode add the real IP address and the NAT configuration line
host 192.168.1.14
nat (inside,outside) static interface service tcp 443 443
And then make sure to configure the ACL/Access-list that allows the traffic to the Web server
access-list OUTSIDE-IN remark Allow HTTPS traffic to the Web Server
access-list OUTSIDE-IN permit tcp any object HTTPS-WEBSERVER eq 443
access-group OUTSIDE-IN in interface outside
- Jouni
05-03-2013 08:52 AM
Hi,
Couple of things you want to check/configure first
The Port Forward / Static PAT configuration on your ASA would be
object network HTTPS-WEBSERVER
host 192.168.1.14
nat (inside,outside) static interface service tcp 443 443
access-list OUTSIDE-IN remark Allow HTTPS traffic to the Web Server
access-list OUTSIDE-IN permit tcp any object HTTPS-WEBSERVER eq 443
access-group OUTSIDE-IN in interface outside
The above configuration will forward the TCP/443 connections coming towards your ASA "outside" interface IP address to the "inside" IP address of the Web server.
As I said you will have to both configure the ASA "outside" IP address staticly so it doesnt change (which would make the NAT useless naturally) and you will also have to do a Port Forward / Static PAT configuration on the Home Router. You will basically need to forward the port TCP/443 coming to your Home Router public IP address to the ASA "outside" interface IP address on port TCP/443
Hope this helps
Please remember to mark the question as answered if it did. Or ask more if needed
- Jouni
05-03-2013 09:06 AM
Thanks JouniForss, when I try to configure the external interface with an IP address or security level (ethernet 0/0) I get the error This command can only be configured on VLAN interfaces.
-M
05-03-2013 09:11 AM
Hi,
Yes, the only interface where you configure IP address information on your ASA5505 is the Vlan interface.
At the moment your ASA "outside" interface is the interface Vlan2
You would have to configure the IP address in this way
interface Vlan2
ip address 192.168.0.x 255.255.255.0
Notice that this will naturally can cause a small outage in connections through the ASA.
Also make sure that the network mask I entered above is correct and choose the IP address you want instead of the "x" at the end of the IP address. This IP address should be in turn used on the Home Router as the IP address towards which you need to do the Port Forward on the Home Router.
- Jouni
05-03-2013 09:15 AM
OK, I put the 192.168.0.19 on the Vlan 2, (which I think logically works).
Then when I tried to do the NAT mapping I got this error
ciscoasa(config)# nat (inside,outside) static interface service tcp 443 443
^
ERROR: % Invalid input detected at '^' marker.
05-03-2013 09:18 AM
Hi,
It should work but make sure you did this first
Create the "object" that holds the real IP address of the server and the NAT configuration
object network HTTPS-WEBSERVER
While under the "object" configuration mode add the real IP address and the NAT configuration line
host 192.168.1.14
nat (inside,outside) static interface service tcp 443 443
And then make sure to configure the ACL/Access-list that allows the traffic to the Web server
access-list OUTSIDE-IN remark Allow HTTPS traffic to the Web Server
access-list OUTSIDE-IN permit tcp any object HTTPS-WEBSERVER eq 443
access-group OUTSIDE-IN in interface outside
- Jouni
05-03-2013 09:59 AM
Thanks working just great!
05-03-2013 10:00 AM
Hi,
Glad its working now
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide