09-06-2019 01:07 AM - edited 02-21-2020 09:28 AM
Hi,
If I have one DMZ webserver ( on port 443) in my environment and I want it to use outside interface for PAT.
!
object network DMZ_SERVER_PRIVATE
host 172.16.1.10
nat (dmz, outside) static interface service tcp https https
!
Now, I also have https/ASDM access enabled for ASA ( to the box traffic).
When someone tries to connect to my outside IP on 443 how my firewall will know if he's trying to access ASA/ASDM (to the box traffic) or internal WEB server(through the box traffic)?
Thanks.
09-06-2019 01:20 AM
Hi,
ASA(config)#http server enable <1-65535>Here is an example:
configure mode commands/options:
<1-65535> The management server's SSL listening port. TCP port 443 is the
default.
ASA(config)#http server enable 65000
https://interface_ip_address:<customized port number>
Don't forget to permit your public IP to access ASDM with this CLI :
http [your public IP] 255.255.255.255 outside
! or all public IP :
http 0.0.0.0 0.0.0.0 outside
HTH
09-06-2019 07:10 AM
Hi,
Thank you for your reply.
But the thing is that I implemented this in GNS and it showed that it directed that connection to DMZ server.
Why the firewall did not consider it as to the box traffic?
WEB_PRIV----- (dmz) [ASA](outside)----- outside router
I have trimmed the output to show only relevant info.
ciscoasa# show run http
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
ciscoasa# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 20.0.0.1 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 10.0.0.1 255.255.255.0 CONFIG
GigabitEthernet0/2 dmz 172.16.0.1 255.255.255.0 CONFIG
ciscoasa# sho run object
object network WEB_PRIV
host 172.16.0.5
!
ciscoasa# show run nat
!
object network WEB_PRIV
nat (dmz,outside) static interface service tcp https https
!
ciscoasa# show run access-list
access-list OUTSIDE_IN extended permit tcp any object WEB_PRIV eq https
!
outside_router#telnet 20.0.0.1 443
Trying 20.0.0.1, 443 ... Open
WEB_PRIV#show tcp brief
TCB Local Address Foreign Address (state)
65496C80 172.16.0.5.443 20.0.0.10.29126 ESTAB
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: