Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1452
Views
0
Helpful
4
Replies

Publishing webserver

Go to solution
MatsHellman
Level 1
Level 1

‎08-18-2011 03:18 AM - edited ‎03-11-2019 02:13 PM

I've tried to get my head around this but beeing used to Juniper and Watchguard devices I just can't get my home webserver published to the outside interface.

I have a ASA5505 with ASA version 8.4 and ASDM version 6.4 and the basic license.

Outside interface is X.X.X.32/255.255.255.248 so I have 5 static IP:s on my external interface, .34 is in use for the outside interface.

Inside 10.10.10.0/25

DMZ 10.0.0.0/24

I have a webserver in DMZ located at 10.0.0.253 and would like to publish it to the external IP X.X.X.35.

I've tried to make the static NAT but every time I do either nothing goes in or out of the DMZ zone or you can't access the webserver from the outside interface.

Could anyone point me to a clear guide on this that doesn't assume you are used to cisco devices and would apply to the right ASA versions. Or try to talk me trough it here.

Right now I deleted all trials since none of them work so only the basic config is applied. Everything get's NAT:ed to the external interface .34 IP.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎08-18-2011 03:58 AM

Hi,

So you want to statically nat your webserver in DMZ to outside then you must:

1)first do the static PAT config which for 8.4 OS should be like this:

object network webserver

  host 10.0.0.253

  nat (dmz,outside) static X.X.X.35 service tcp 80 80

2) create an ACL permitting access to the webserver from outside and apply it on interface outside inbound like this:

access-list WEBSERVER_OUT extended permit tcp any host 10.0.0.253 eq 80

access-list WEBSERVER_OUT extended permit icmp any host 10.0.0.253 echo-reply

access-group WEBSERVER_OUT in interface outside

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
varrao
Level 10
Level 10

‎08-18-2011 03:42 AM

Hi Mat,

You would need the following nat statement:

object network external_ip

host xx.xx.xx.35

object network internal_ip

  host 10.0.0.253

nat (outside,inside) source static any any destination static external_ip internal_ip

Hope this helps you out

Thanks,

Varun

Please rate helpful posts.

Thanks,
Varun Rao
0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to varrao

‎08-18-2011 03:59 AM

You can also try:

object network dmz_server

   host 10.0.0.253

   nat (inside,outside) static xx.xx.xx.35

Both the nats woudl do the same thing.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎08-18-2011 03:58 AM

Hi,

So you want to statically nat your webserver in DMZ to outside then you must:

1)first do the static PAT config which for 8.4 OS should be like this:

object network webserver

  host 10.0.0.253

  nat (dmz,outside) static X.X.X.35 service tcp 80 80

2) create an ACL permitting access to the webserver from outside and apply it on interface outside inbound like this:

access-list WEBSERVER_OUT extended permit tcp any host 10.0.0.253 eq 80

access-list WEBSERVER_OUT extended permit icmp any host 10.0.0.253 echo-reply

access-group WEBSERVER_OUT in interface outside

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
MatsHellman
Level 1
Level 1
In response to cadet alain

‎08-18-2011 04:13 AM

Thank you so much, looking att the commands they are clear and selfexplanatory. Thanks again!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card