Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
0
Helpful
2
Replies

Expose web server on a DMZ using public interface

sandman42
Level 1
Level 1

‎02-02-2018 07:51 AM - edited ‎02-21-2020 07:16 AM

Hi,

 

I have a 5505 with ios 9.1(6), that's usually used for internet, i.e. clients on inside can surf internet according to ACLs. All is working.

 

Then I have a Tomcat server listening on port 8080 that needs to be exposed on internet.

I'd need to expose it on the same public IP of the firewall outside, port 80.

What I did is

 

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 12
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X.Y.Z.T 255.255.255.248 
!
interface Vlan12
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.252 
!
object service Tomcat-Real-Port
 service tcp source eq 8080 
object service Tomcat-Mapped-Port
 service tcp source eq www 
object network Tomcat-Public-Address
 host X.Y.Z.T
object network Tomcat-Private-Address
 host 172.16.0.2

access-list outside_access_in extended permit tcp any object Tomcat-Public-Address eq www 
 
nat (DMZ,outside) source static Tomcat-Public-Address Tomcat-Private-Address service Tomcat-Real-Port Tomcat-Mapped-Port

This does not work. From the tomcat machine I can ping the 172.16.0.1, but from outside I cannot reach Tomcat, neither on the 80 port, nor on the 8080.

I'm sure it works, because a curl on then tomcat machine shows me the tomcat page.

 

What did I did wrong?

 

Thanks

 

Labels:
0 Helpful
2 Replies 2

mvsheik123
Level 7
Level 7

‎02-03-2018 07:03 AM

Hi,

ASA software 8.3 above, the real IP needs to be listed in the rules. Check below links as an examples for NAT and ACL configs:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

 

hth

MS

0 Helpful

Rob Ingram
VIP
VIP

‎02-03-2018 07:06 AM - edited ‎02-03-2018 07:32 AM

Hi,

Perhaps try this....

 

object network Tomcat-Private-Address
 host 172.16.0.2
 nat (dmz,outside) static interface service tcp 80 8080
 
"access-list outside_access_in extended permit tcp any object Tomcat-Private-Address eq www"

 

I assume you also have an access-group defined such as "access-group outside_access_in in interface outside" - it's not in your config you sent earlier.

 

Use the command "show xlate" for more information

 

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card