Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1906
Views
15
Helpful
6
Replies

Firewall Rules - ASA5508-X

Go to solution
wynneitmgr
Level 3
Level 3

‎03-02-2020 05:07 AM

I am new to managing Cisco Firewalls, so any help would be appreciated. We have a Cisco ASA5508-X that I manage with Cisco ADSM 7.9. We have a few locally hosted web applications on our web server. I would like to make most of the applications private (viewable only on our network) and I need a couple of the web applications to be made public so you can view from outside the network. I need help setting up the following rules in Cisco ASDM.

 

Firewall Rules:

Public: http: port 81, https: 444 allow ports 81/444 to WAN
Private: http: port 80, https: 443, block ports 80/443 to WAN

 

Thank you.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-02-2020 04:33 PM

Hi

Are the web applications new or already existing?
When you say accessible from your internal network, do you have multiple zones or everything is sitting behind the same zone (users and servers).
Can you share your config in order to help you with the correct acl to put in place?

For allowing outside hosts (internet) to access your internal web apps, it's quite straightforward. If you share your config and tell us on which zone are your web apps sitting, i can help you with the correct cli commands to setup to achieve it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
wynneitmgr
Level 3
Level 3
In response to Francesco Molino

‎03-05-2020 05:03 AM

Not sure if this will help, but here is what I am trying to do:

 

Source    Destination                   SOURCE PORT    DEST PORT          ALLOW/DENY

WAN       myserver.domain.com   http80                                             Deny

WAN       myserver.domain.com   https443                                         Deny

WAN       myserver.domain.com   https444              https443              Permit

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to wynneitmgr

‎03-05-2020 06:25 AM

We would not normally expect to know the source port of a tcp connection. Do you mean the original destination ports could be 80 or 443 (block) or 444 (allow and translate to 443 on the server itself)? If so a NAT rule and ACL entry in an access-list applied to the outside interface would suffice.

Go to solution
wynneitmgr
Level 3
Level 3
In response to Marvin Rhoads

‎03-05-2020 06:33 AM

Yes, that is what I need to do. However, I have played around with NAT rules and Access Rules but just not sure if I am doing them correctly. Thanks for any assistance.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to wynneitmgr

‎03-05-2020 11:53 AM

By default, if you don't open ports on your outside acl, these ports won't be accessible. So you'll need to open for allowed nat.
Is the public IP the one sitting on ASA interface or a dedicated IP? After that, we can give you a config sample on how to do nat.
However, without your config, you'll need to place it at the right place to not be overlapped by another nat.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card