Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5868
Views
5
Helpful
20
Replies

How do I allow access over port 80 to webserver in DMZ

Go to solution
alafever1
Level 1
Level 1

‎11-13-2014 11:27 AM - edited ‎03-11-2019 10:04 PM

Hello!

I am fairly new to this level of configuration and was hoping someone would grace me with their knowledge.  

My current setup is that I have a webserver (10.1.10.5) in a DMZ with its SQL counterpart on the inside.  Traffic is flowing correctly between the two as well as from the DMZ to the internet, however, I cannot access the website on the webserver from the public internet.  

When I run canyouseeme.org on the webserver it shows that port 80 is not getting traffic.  Any ideas on how to fix my config?  I've been /headesk on this one. 

Thanks!

Labels:
0 Helpful
20 Replies 20

Go to solution
alafever1
Level 1
Level 1
In response to Karsten Iwen

‎11-17-2014 10:57 AM

I'd like users on the Inside interface to be able to enter the web address of the webserver application and access it without having to use the internal IP.  I may have to accomplish this using an actual DNS server.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to alafever1

‎11-17-2014 12:07 PM

Can you use a dedicated public IP for the webserver? Then you can tweak the DNS-replys in a form that the ASA changes the public address in a DNS-reply to the actual IP of the server. But that doesn't work if only a port is forwarded. If you can, the translation looks like the following:

object network WEBSERVER-TCP80
 nat (dmz,outside) static a.b.c.d dns

 

Other ways are to configure the FQDN in your internal DNS with the private IP, or use destination NAT for the public IP. But that again makes your config more complex and harder to troubleshoot.

 

 

0 Helpful

Go to solution
alafever1
Level 1
Level 1
In response to Karsten Iwen

‎11-17-2014 01:24 PM

Unfortunately I only have the 1 static IP address.  

 

Would something like this work?

object network internal
 range 192.168.0.1 192.168.0.254
object network external
 host [IP address of your WAN interface]
object network server-internal
 host [server internal IP address]
object network server-external
 host [server external (NATted) IP address]
nat (internal, internal) source static internal external destination static server-external server-internal
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to alafever1

‎11-17-2014 01:41 PM

That goes into the right direction (if you really want to go that way):

The destination is changed statically from server-external to server-internal. But you don't have to change the source address. These addresses can be dynamically identity-natted. And if I remember right, the interfaces are (inside,dmz) in this scenario, but I don't remember exactly:

nat (inside, dmz) source dynamic internal internal destination static server-external server-internal

 

0 Helpful

Go to solution
alafever1
Level 1
Level 1
In response to Karsten Iwen

‎11-18-2014 12:47 PM

This worked :)  I had to create another rule above it to allow my SQL server to still communicate with the webserver using internal IPs.  I'm good with everything else being outside.  


Thanks so much for all of your insight.  You've been a great help!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to alafever1

‎11-18-2014 01:01 PM

fine that it works. And now don't forget to go to

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html

for even more NAT-knowledge ... ;-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card