Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
2
Helpful
8
Replies

Configure Access to HTTP Server in DMZ - ISP --> R1--> ASA

nerervarine
Level 1
Level 1

‎12-01-2023 05:06 PM

Hi All,

Noob question:

I have network scenario as represented below, and want to configure access to and from the web server in the dmz (http only). I am confused as to how I do this, I am sure NAT should be done at the Edge Router but since its "outside" interface is a private address, and the network to the ISP Router has only two available IP addresses which are configured for each of the two interfaces. How do I configure the Edge Router to route http packets to the ASA and for it to route them to the web server and back out to the ISP? Thank you!

nerervarine_0-1701478515757.png

Thank you

0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎12-01-2023 05:21 PM 

 
object network webserver-external-ip
 host routerToasa subnet ip
!
object network webserver-dmz
 host x.x.x.x
nat (dmz,outside) static webserver-external-ip service tcp www www

Then in router 

Ip nat inside source static tcp <routerToasa subnet ip> <eq www> <isp interface ip> <eq www>

That what you need 

MHM

nerervarine
Level 1
Level 1
In response to MHM Cisco World

‎12-02-2023 02:35 AM - edited ‎12-02-2023 02:36 AM

Hi MHM,

Thanks for the response, I just wanted to clarify:

object network webserver-external-ip
host routerToasa subnet ip

Is the above an ip address of the Edge Router interface to ASA, ASA interface to Edge Router or is it a Subnet address like 192.168.70.0

And same question with: ip nat inside source static tcp routerToASA subnet ip ------> is this ip address or subnet address?

Sorry for my confusion and thanks for the response.

0 Helpful

MHM Cisco World
VIP
VIP
In response to nerervarine

‎12-02-2023 03:15 AM

Sorry If I am not clear 

I meaning one ip form subnet connect asa to router.

And also same 

Ip from subnet connect router to isp

MHM

nerervarine
Level 1
Level 1
In response to MHM Cisco World

‎12-02-2023 04:40 AM

Hi,

Could you tell me how I test this connection, from say the ISP router? I have setup a simple http server in the dmz, as I cannot use the internal IP address, how do I connect and test the connectivity?

Thanks

0 Helpful

MHM Cisco World
VIP
VIP
In response to nerervarine

‎12-02-2023 04:52 AM

From ISP connect use 

Http edge router IP (this IP i think public ip)

Ip will NATing to asa outside IP (private ip)

Then traffic will NATing again in asa to web ip (private IP).

0 Helpful

nerervarine
Level 1
Level 1

‎12-02-2023 03:27 AM

OK - I will try with the IP addresses and report back - thanks for the quick responses.

0 Helpful

nerervarine
Level 1
Level 1

‎12-02-2023 07:38 AM

Hi MHM,

I have configured my Network in this way:

ISP int e0/1 -----> 90.241.179.6
Edge Router int e0/0 -----> 90.241.179.5

Edge Router Outside int e0/1 -----> 192.168.70.2
ASA Router Outside int e0/1 -----> 192.168.70.1

DMZ Web Server Address -----> 192.168.60.2

And I have used your suggestions like this:

ON ASA
object network wbs-ext-add
host 90.241.179.5

object network dmz-server
host 192.168.60.2
nat (dmz,outside) static wbs-ext-add service tcp www www

ON EDGE Router
ip nat inside source static tcp 192.168.70.2 www 90.241.179.5 www

But for some reason this isn't working - any help appreciated.

Sorry for the headache!

0 Helpful

MHM Cisco World
VIP
VIP
In response to nerervarine

‎12-02-2023 07:57 AM

You need to add ip nat inside and ip nat outside to edge router 

You need to add acl allow traffic to web server in dmz

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card