Re: Configure DMZ NAT for web server

Ahmad Saad4 · ‎02-02-2021

Hi there,

We've got pair of ASA HA 5525 firewalls (v 9.12) configured with 3 interfaces (Outside,Inside, and DMZ). We would like to configure NAT rules for a window virtual web server (IIS) that will host 3 websites (each website will have public IP address), this server will be located on DMZ, so we want this server to be accessible from the Internet as well as internally (as we would need to copy files to it using ViceVerse application). Currently the server is built and has an IP address on internal server range 192.168.1.0/24, and we will need http & https services to be allowed and accessible from outside.

My question here, what's the best practice/approach to deploy this scenario?

Do I need to create one network group for the external IP addresses and another for the Internal? or should I create separate network object for each IP address?

Is it better to create a separate NAT rule for HTTP service and another rule for HTTPS ? or it's alright to combine both services?

Do I need to create ACLs for Inside interface to reach DMZ and vice-versa?

Thanks

.

TJ-20933766 · ‎02-02-2021

1. Just create a single object for the Web server & NAT the server to a public IP. Typically you will use a spare IP address (in this case I'm using 1.1.1.1) and not the one that is assigned to the OUTSIDE interface of the firewall.

object network WebServer
 host 192.168.1.194
nat (DMZ,OUTSIDE) static 1.1.1.1

2. You can combine both services into a single rule if you prefer it that way. In the example above, I've done a 1-to-1 translation from the internal IP to a public IP address

3. This depends on your security levels. Assuming the following security levels:

INSIDE = 100

DMZ = 50

OUTSIDE = 0

Because the INSIDE zone has a higher security level than the DMZ, you will not need an ACL to allow traffic to enter the DMZ. Because the OUTSIDE is a lower security level than the DMZ, you will have to create and ACL to allow hosts on the Internet to initiate traffic to the DMZ. This is accomplished with an ACL applied in the inbound direction on the OUTSIDE interface.

access-list OUTSIDE-INBOUND extended permit tcp any host 192.168.1.194 eq 80
access-list OUTSIDE-INBOUND extended permit tcp any host 192.168.1.194 eq 443
!
access-group OUTSIDE-INBOUND in interface OUTSIDE

Ahmad Saad4 · ‎02-03-2021

Thanks Tyson!

The webserver will host 3 websites and each website will have a separate public IP address.

I presume that the NAT rule you created above should be from DMZ to Outside (DMZ,Outside), and not from (Inside,Outside)?

Thanks

TJ-20933766 · ‎02-03-2021

You are correct. My NAT statement meant to use "DMZ" and not "INSIDE". I try to check my work before posting as much as I can but sometimes mistakes get through. I've changed my original post to reflect the correct statement.

As for the web server, since all three websites are being hosted on the same private IP address, they will also be hosted on the same public IP address. There is not a way to NAT based on URL. The only way to change this would be to have 3 separate IIS servers, each running one of the websites.

Now if each of the websites used a different port (say one was TCP/443 only, another was TCP/80 only, and the third was TCP/8443), then we could create a NAT rule mapping a different public IP to each port.

Ahmad Saad4 · ‎02-09-2021

Thanks Tyson!

In this case I will need to create 3 network objects for the same private web server, and create 3 NAT rules for each network object as follow : WebServer=WebServer2=WebServer3= 192.168.1.194

object network WebServer
 host 192.168.1.194
nat (DMZ,OUTSIDE) static 1.1.1.1

object network WebServer2
 host 192.168.1.194
nat (DMZ,OUTSIDE) static 2.2.2.2

object network WebServer3
 host 192.168.1.194
nat (DMZ,OUTSIDE) static 3.3.3.3

Will I need an ACL to allow traffic from DMZ to Inside network ? as I said that we want this server to be accessible from the Internet as well as internally.

Thanks

TJ-20933766 · ‎02-09-2021

What I assume you are trying to do is something like the following:

www.mysite.com/finance accessible on 1.1.1.1

www.mysite.com/engineering acessible on 2.2.2.2

www.myothersite.com accessible on 3.3.3.3

The problem is that there is no way to make each site only accessible on a single public IP address like that. Given your configuration above, you will be able to access all 3 sites from any of those IP addresses. As far as traffic going from the DMZ to the OUTSIDE, how will you dictate which public IP address is used for each website because I'm not aware of anyway to do it.

You will not need an ACL from the DMZ to INSIDE zone. Traffic is initiated by the INSIDE zone which has a higher security level than the DMZ so an ACL is not required.

Ahmad Saad4 · ‎02-09-2021

I'm not quite sure if the above config will work as private IP address 192.168.1.1 >> can be NAT once outside. I mean I can't see how any websites be accessible from outside.

I'm thinking of what you suggested earlier :

- Website A will be using port 8443 so, NAT will be 192.168.1.1:8443 >> 1.1.1.1:443

- Website B will be using port 8444 so, NAT will be 192.168.1.1:8444 >> 2.2.2.2:443

-Website C will be using port 8445 so, NAT will be 192.168.1.1:8445 >> 3.3.3.3:443

What do you think?

TJ-20933766 · ‎02-09-2021

Are these websites already up and running? Are you able to hit them from the Inside network. I feel like there are some things that haven't been fully fleshed out quite yet before you try putting this on the Internet. For instance, I don't think you're going to be able to host 3 websites on the same server. I could be wrong but try doing that first and then come back to us and tell us how you got it to work. Then we can help you get the firewall to NAT it to the Internet.

Ahmad Saad4 · ‎02-09-2021

.