Re: Cisco ASA - Web Server Publishing

rsrikant · ‎08-10-2013

My requirement is I need to publish 2 Web Servers to internet behind Cisco ASA.

The users will be using secure https acccess to the Web Server.

I have only 1 Public IP Address assigned to access both the Web Servers.

Wanted to know what are the things required in the Cisco ASA firewall.

1. What type of licenses ?

2. What type of certificates ?

3. How can i use a single Public IP to access to both the Web servers. Does the Cisco ASA supports this.

I dont want any client software on the end users PC.....

Jouni Forss · ‎08-10-2013

Hi,

Well you will run into problems with the single public IP address.

You will have to use Static PAT to forward the TCP/443 to the Web server. But since you have 2 Web servers this means that both of them CANT use this port. The other Web server would have to use some other public port while it still could be listening on the TCP/443 port but as I said the public port can't be the same.

Using the public port TCP/443 in a Static PAT (Port Forward) configuration on the ASA using the "outside" interface IP address also means that you will have to change the ASDM listening port on the ASA if you wish to use it through the "outside" interface since ASDM also uses TCP/443 port by default.

The ideal situation is ofcourse when a server has its own dedicated public IP address.

The ASA doesnt require any extra licensing to achieve this since we are only talking about a NAT configurations. The NAT configuration format depends on the software level running on your ASA.

- Jouni

rsrikant · ‎08-10-2013

is there any other way i can be able to achieve this....

turbo_engine26 · ‎08-10-2013

Hi,

Static PAT is the only option you have in order to publish multiple internal servers using 1 Public IP address. However, as Jouni clarified, each internal server must listen to a different port number because the ASA uses them to identify unique connections to each server since both servers offer the same service.

You can try one solution for this scenario

You can assign the dedicated Public IP you mentioned to one server while the other server is assigned the ASA outside interface's address. I am not sure if that one Public IP that you mentioned is a dedicated one or the outside interface's address. Anyway, if it is dedicated then you actually have 2 Public IPs (not one) as you can take advantage of the outside interface's address.

For example,

Prior 8.3:

static (inside,outside) tcp dedicated_public_ip 443 web_server1 443

static (inside,outside) tcp interface 443 web_server2 443

8.3 or later:

object network web_server1_real

host web_server1

nat (inside,outside) static dedicated_public_ip service tcp 443 443

object network web_server2_real

host web_server2

nat (inside,outside) static interface service tcp 443 443

However, you may have a security policy in place that forces to use one Public IP for both servers (even if you have more than one Public IP). In this case, you MUST configure one of the servers to listen to a different port such as 5443.

Regards,

AM

rsrikant · ‎08-12-2013

Do i need to have the SSL VPN license on the Cisco ASA ?

Do i need to have the certificate installed in my Cisco ASA. In that case what is the purpose of the certificate in the Cisco ASA...

rsrikant · ‎08-14-2013

any answer

Jouni Forss · ‎08-14-2013

Hi,

To be able to access the Web server from the Internet you simply need the suggest Static NAT or Static PAT configuration like suggested above.

To host 2 Web servers on the port TCP/443 you will need 1 public IP address for each server.

Or you would need to host both sites on a single server.

Not really things that I deal with in my work so I can't go into any specifics. But the things related to NAT are pretty straightforward.

You wont need any VPN license as it has nothing to do with hosting a Web server behind your firewall.

- Jouni

rsrikant · ‎08-15-2013

Thanks

I do have 2 Public IP address for my 2 servers.That is clear.

I am summarizing the diagram of what i am planning to do.

The Cisco ASA firewall with SSL VPN license will be connected to Internet.

I have 2 extra Public IP Address.

I have 2 applications to be published.

Application -1 will be accessed through the Web Server. User 1st needs to access the web server. The application will be published in the Webserver & then the application will be accessed.

Application 2 will be accessed directly through Internet in a secure way.

Let me know what are the things i need to consider to achieve this.

I have considered the below.

1. Cisco ASA firewall with SSL VPN license.

2. 2 Public IP Address. 1 Public IP to publish the Webserver & the 2nd public IP to publish the 2nd Application.

3 . No client software on the user PC.

3. Do i need to buy additional certificate from entrust & install it in the Cisco ASA for secure access.

Let me now what are the things required what i am missing it..

turbo_engine26 · ‎08-15-2013

Thanks

I do have 2 Public IP address for my 2 servers.That is clear.

I thought you said you just have 1 Public IP in your first post. Anyways, if you do have 2 Public IPs for each server, then use Static NAT instead of PAT. Use the same commands but without the port information.

Prior 8.3:

static (inside,outside) public_ip1 web_server1

static (inside,outside) public_ip2 web_server2

8.3 or later:

object network web_server1_real

host web_server1

nat (inside,outside) static public_ip1

object network web_server2_real

host web_server2

nat (inside,outside) static public_ip2

Because Application1 will be published to the web server and the web server will be published to internet, the web server is the one to be published through ASA. I am not sure how you use Application1 and how you will publish it to the web server internally so this is out of the scope of my help.

About Application2's security, the question is, how do you want to achieve security for App2? We have several types of security. Having the ASA infront of Application2, using NAT and using ACLs, this will achieve Access Control. However, if you want to achieve data encryption between internet clients and App2, then you have to consider PKI (or certificates) to achieve this. You also can consider IPsec remote access vpn for the App2 server. It all depends on what security flavor do you like.

Regards,

AM