07-23-2014 05:10 AM - edited 03-11-2019 09:31 PM
Hello everyone,
I'm having some trouble and need your assistance.
We have thirty five HTTP/HTTPS/FTPS web sites to setup in the ASA 5520 ASDM firewall, we need to know if its possible to have them all setup
without using a DMZ, we have two or three sub-nets with HTTP/HTTPS/FTPS servers. We get the first website setup on the ASA ASDM GUI working great, when we begin to add multiple sites is when all stop working, even the original first site stops working.
I have all networks talking to each other as inside to inside or all using the same security-level 100 a requirement we have all internal networks allow traffic between networks. We would like to allow outside users/customers to have access
to our HTTP/HTTPS/FTPS websites without having to setup two or more DM Z's.
What I'm using to setup each website as a template
object network SMS-WebServer-HTTP
host 10.10.2.10 inside IP address
nat (VLAN102,outside) static 98.101.206.252 service tcp 80 80 outside address
!
object network SMS-WebServer-HTTPS
host 10.10.2.10 inside IP address
nat (VLAN102,outside) static 98.101.206.252 service tcp 443 443 outside address
!
access-list OutsideToVLAN102 permit tcp any host 10.10.2.10 eq 80
access-list OutsideToVLAN102 permit tcp any host 10.10.2.10 eq 443
I'm not sure what's required to get all HTTP/HTTPS/FTPS sites working through the firewall without using the DMZ and using the ASDM for setup.
Thank you all
Solved! Go to Solution.
07-23-2014 10:17 AM
Hi,
Good to hear that its working so far. :) Thank you for the message, though I am not part of Cisco :)
Don't know if its really proper to ask anything from the help I give here and to be honest I would not know what to ask even. :)
I'm happy if the correct answer is marked (if I have given one)
- Jouni
07-23-2014 05:35 AM
Hi,
Will need some clarification on what you are actually wanting/attempting to do and what the current situation with regards to the network is.
First thing that I want to ask is what do you mean setting up the servers without a DMZ? Do you mean that you want to use your existing internal networks address space when configuring the servers and then simply configure NAT for the servers on the firewall INSTEAD OF configuring a separate Subnet/Vlan on the firewall where all the servers would be hosted?
I guess technically there is nothing stopping you from setting up the servers in whatever subnet/Vlan you have already on your network. Usually though servers that are used to host resources to external users through the public network are positioned on a DMZ network which permits little to no connectivity from the servers towards the LAN networks.
I would also be interested in exactly what commands are entered to the ASA when the connectivity to the servers stops working. I would imagine that there is some error in the configurations if they effect already working setups. You might also be overwriting the working configuration depending what you are actually inserting to the ASA. You should be able to get the CLI format configurations even if you were using only ASDM if you go to Tools -> Preferences -> choose the preview of commands
I would also like to ask you what your situation with regards to available public IP addresses is? Are you able to dedicate each server a public IP address (though there seems to be many)? Especially in the cases of web servers you might run into a problem if you dont have a public IP address for each server since you can not forward the same port for the same public IP address to multiple internal hosts. So when you have used the HTTP and HTTPS ports for the public IP address you mention then you will already require another public IP address to forward the same ports to another server. Or you will have to use different public facing ports which is not very convinient for the actual web users if he/she has to use a port number in the URL.
I guess there are ways to host multiple sites on a single server which means you would not need so many public IP address and special NAT configurations on the firewall but that is a thing I am not equipped to give advice to anyone :)
So in short, we would need to know
- Jouni
07-23-2014 06:01 AM
Hello Jouni, always nice working with you.
We have this new ASA 5520 as a fail over if our current production ISP dies for some reason, we have this firewall on a different ISP subnet verses our production.
We have one Public IP address available for each server /24 block
I have twenty nine servers to setup in our 102 VLAN, able to only test one at a time in this LAB environment, ten to setup in the 104 VLAN, three in our 109 VLAN so you can see we end up with several DMZ;s if we used them, makes to much work for this DR fail over. would like to have them use NAT/ACL to control the access for all HTTP/HTTPS/FTPS if possible, not the best practice for doing this but it's only for DR.
I'm sending you the two sites template used for the setup, one from the 10.10.2.x network then other from 10.10.4.x network, both using the same Public class C
object network Edoc_Testweb2-HTTP
host 10.10.4.200 inside IP address
nat (VLAN104,outside) static 98.101.206.100 service tcp 80 80 outside address
!
object network Edoc_Testweb2-HTTPS
host 10.10.4.200 inside IP address
nat (VLAN104,outside) static 98.101.206.100 service tcp 443 443 outside address
!
access-list OutsideToVLAN104 permit tcp any host 10.10.4.200 eq 80
access-list OutsideToVLAN104 permit tcp any host 10.10.4.200 eq 443
!
access-group OutsideToVLAN104 in interface outside = ASDM only
Number2
object network CulsWeb-HTTP
host 10.10.2.120 inside IP address
nat (VLAN102,outside) static 98.101.206.105 service tcp 80 80 outside address
!
object network CulsWeb-HTTPS
host 10.10.2.120 inside IP address
nat (VLAN102,outside) static 98.101.206.105 service tcp 443 443 outside address
!
access-list OutsideToVLAN102 permit tcp any host 10.10.2.120 eq 80
access-list OutsideToVLAN102 permit tcp any host 10.10.2.120 eq 443
!
access-group OutsideToVLAN102 in interface outside
07-23-2014 06:16 AM
Hi,
It seems that your actual connectivity problem when adding new configurations is caused by changing the ACL attached to the "outside" interface.
Notice that you are creating 2 different ACLs but trying to attach them to the same interface "outside". The interface can only hold a single ACL for one direction so you would have to use the same ACL for controlling all traffic that is coming "in" from behind the "outside" interface. This is the reason why the first server stops working after adding configurations for another.
Though you still have problems related to the setup. You say you have tens of servers to setup yet you seem to have way fever public IP addresses correct? If this is true then you will quickly run out of public IP addresses that you can use for your servers. This is because of the earlier mentioned limitation of being able to forward a specific port for specific public IP address only to one internal host.
So in the end you would either have to use different public facing ports for some internal servers (like mapping public TCP port 81 to 80 , 82 to 80 for another server and so on) OR you would have to get more public IP addresses from the ISP to have one for each server. I guess one option would also be running the sites/services on single/fewer server(s) but I guess that is not possible.
- Jouni
07-23-2014 06:30 AM
Jouni,
Can you give me an example for what I'm doing wrong by using the outside interface for all ACL attached to the outside interface, and what to do to fix this issue so we can add all the servers.
We have plenty of public IP's 250 available for this project, we only need one for each server, need only thirty for the HTTP/HTTPS websites, only need nine or so for the FTPS sites.
All HTTP sites will use port 80, all HTTPS sites will use 443, all FTPS will use ports 990 - 1099, others will use port 22
Please explain what I'm doing wrong and step-by-step what I need to do for allowing this on the 5520 running 9.0(3) IOS
07-23-2014 07:42 AM
Hi,
You should configure a single ACL and configure all the rules to it. You will then attach that single ACL to the "outside" interface to control all traffic from the Internet.
I think you should probably use Static NAT rather than Static PAT (Port Forward) since you will have to use a public IP address per server anyway.
In that case the configuration format for each server would be
object network SERVER-1
host <internal ip>
nat (inside,outside) static <public ip>
object network SERVER-2
host <internal ip>
nat (inside,outside) static <public ip>
and so on.
You could then configure the ACL to allow traffic to these 2 servers in the below way.
access-list OUTSIDE-IN remark Rules for Web servers
access-list OUTSIDE-IN permit tcp any object SERVER-1 eq http
access-list OUTSIDE-IN permit tcp any object SERVER-1 eq https
access-list OUTSIDE-IN permit tcp any object SERVER-2 eq http
access-list OUTSIDE-IN permit tcp any object SERVER-2 eq https
Naturally you can add as many statements as you need. There is also other options that achieve the same. You can for example group the services and server IP addresses to their own groups so you can get a small ACL configuration.
The command you need to use to attach the ACL to the interface is
access-group OUTSIDE-IN in interface outside
Notice that when you have inserted this "access-group" command once and want to add more rules to allow/deny traffic then you simply add the "access-list" lines but you will NOT have use the "access-group" command again because you have already attached the "outside" interface with the above command.
Hope this clarifies things.
- Jouni
07-23-2014 07:51 AM
Jouni you are the best, let me put this into our lab network.
Thank you for always helping us figure out what we have done wrong and for
showing the right way to make things work.
Thank you Sir
07-23-2014 08:08 AM
Hi,
No problem :)
Let me know how it goes after you have tested it in your lab.
- Jouni
07-23-2014 09:58 AM
Jouni,
I'm only on the first website but we see this working just like you said.
I left you a message to read at http://98.101.206.100
I can't thank you enough and would like to do something for you my friend.
Please name it - anything you need or want
Thanks again
07-23-2014 10:17 AM
Hi,
Good to hear that its working so far. :) Thank you for the message, though I am not part of Cisco :)
Don't know if its really proper to ask anything from the help I give here and to be honest I would not know what to ask even. :)
I'm happy if the correct answer is marked (if I have given one)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide