Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1373
Views
0
Helpful
2
Replies

ASA DMZ Server access

umeshunited
Level 1
Level 1

‎09-06-2019 01:07 AM - edited ‎02-21-2020 09:28 AM

Hi,

 

If I have one DMZ webserver ( on port 443) in my environment and I want it to use outside interface for PAT.

!

object network DMZ_SERVER_PRIVATE

host 172.16.1.10

nat (dmz, outside) static interface service tcp https https

!

Now,  I also have https/ASDM access enabled for ASA ( to the box traffic).

 

When someone tries to connect to my outside IP on 443 how my firewall will know if he's trying to access ASA/ASDM (to the box traffic) or internal WEB server(through the box traffic)?

 

Thanks.

 

 

 

0 Helpful
2 Replies 2

ssambourg
Level 1
Level 1

‎09-06-2019 01:20 AM

Hi,

 

  1. Enable the HTTPS server to listen on a different port in order to change the configuration that is related to the ASDM service on the ASA, as shown here:
    ASA(config)#http server enable <1-65535>

    configure mode commands/options:
      <1-65535>  The management server's SSL listening port. TCP port 443 is the
                 default.
    Here is an example:
    ASA(config)#http server enable 65000
  2. After you change the default port configuration, use this format in order to launch the ASDM from a supported web browser on the security appliance network:
    https://interface_ip_address:<customized port number>

     

Don't forget to permit your public IP to access ASDM with this CLI :

http [your public IP] 255.255.255.255 outside
! or all public IP :
http 0.0.0.0 0.0.0.0 outside

 

HTH

0 Helpful

umeshunited
Level 1
Level 1
In response to ssambourg

‎09-06-2019 07:10 AM

Hi,

Thank you for your reply.

But the thing is that I implemented this in GNS and it showed that it directed that connection to DMZ server.

Why the firewall did not consider it as to the box traffic?

 

WEB_PRIV----- (dmz) [ASA](outside)----- outside router 

 

I have trimmed the output to show only relevant info.

 

ciscoasa# show run http
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside

 

ciscoasa# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 20.0.0.1 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 10.0.0.1 255.255.255.0 CONFIG
GigabitEthernet0/2 dmz 172.16.0.1 255.255.255.0 CONFIG

 

ciscoasa# sho run object
object network WEB_PRIV
host 172.16.0.5

!

ciscoasa# show run nat
!
object network WEB_PRIV
nat (dmz,outside) static interface service tcp https https

!

ciscoasa# show run access-list

access-list OUTSIDE_IN extended permit tcp any object WEB_PRIV eq https

!

outside_router#telnet 20.0.0.1 443
Trying 20.0.0.1, 443 ... Open

 

WEB_PRIV#show tcp brief
TCB                   Local Address       Foreign Address     (state)
65496C80      172.16.0.5.443      20.0.0.10.29126      ESTAB

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card