cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

321
Views
15
Helpful
6
Replies
Highlighted
Beginner

Firewall Rules - ASA5508-X

I am new to managing Cisco Firewalls, so any help would be appreciated. We have a Cisco ASA5508-X that I manage with Cisco ADSM 7.9. We have a few locally hosted web applications on our web server. I would like to make most of the applications private (viewable only on our network) and I need a couple of the web applications to be made public so you can view from outside the network. I need help setting up the following rules in Cisco ASDM.

 

Firewall Rules:

Public: http: port 81, https: 444 allow ports 81/444 to WAN
Private: http: port 80, https: 443, block ports 80/443 to WAN

 

Thank you.

 

 

Everyone's tags (4)
1 ACCEPTED SOLUTION
6 REPLIES 6
Highlighted
VIP Advisor

Re: Firewall Rules - ASA5508-X

Hi

Are the web applications new or already existing?
When you say accessible from your internal network, do you have multiple zones or everything is sitting behind the same zone (users and servers).
Can you share your config in order to help you with the correct acl to put in place?

For allowing outside hosts (internet) to access your internal web apps, it's quite straightforward. If you share your config and tell us on which zone are your web apps sitting, i can help you with the correct cli commands to setup to achieve it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Re: Firewall Rules - ASA5508-X

Not sure if this will help, but here is what I am trying to do:

 

Source    Destination                   SOURCE PORT    DEST PORT          ALLOW/DENY

WAN       myserver.domain.com   http80                                             Deny

WAN       myserver.domain.com   https443                                         Deny

WAN       myserver.domain.com   https444              https443              Permit

Highlighted
Hall of Fame Guru

Re: Firewall Rules - ASA5508-X

We would not normally expect to know the source port of a tcp connection. Do you mean the original destination ports could be 80 or 443 (block) or 444 (allow and translate to 443 on the server itself)? If so a NAT rule and ACL entry in an access-list applied to the outside interface would suffice.
Highlighted
Beginner

Re: Firewall Rules - ASA5508-X

Yes, that is what I need to do. However, I have played around with NAT rules and Access Rules but just not sure if I am doing them correctly. Thanks for any assistance.

Highlighted
VIP Advisor

Re: Firewall Rules - ASA5508-X

By default, if you don't open ports on your outside acl, these ports won't be accessible. So you'll need to open for allowed nat.
Is the public IP the one sitting on ASA interface or a dedicated IP? After that, we can give you a config sample on how to do nat.
However, without your config, you'll need to place it at the right place to not be overlapped by another nat.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question