Introduction
This document describes the topology an user wants to implement.
Problem
The simple illustration is Internet ---------------->Transparent Firewall-------------------------------->Web Server(With public IP Address)
- There should be no natting
- The web server must have a public IP and be accessible from the internet.
- Ports can be blocked or re-opened.
Solution
This is a minimal configuration for your need (is running on ASA 5520).
!
firewall transparent
!
interface GigabitEthernet0
description --- Connected to the Internet ---
nameif outside
bridge-group 1
security-level 0
!
!
interface GigabitEthernet3
description --- Connected to LAN ---
nameif inside
bridge-group 1
security-level 100
!
interface BVI1
description --- For Management only ---
ip address 10.1.10.1 255.255.255.0
!
!
object network WWW-SERVER-OBJ
description --- The WEB server ----
host 123.123.123.123
!
!
object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp
description --- Serices published on WEB server ----
port-object eq www
port-object eq https
port-object eq 80
port-object eq 443
port-object eq 1812
port-object eq 1813
port-object eq 1845
port-object eq 1846
port-object eq 3799
port-object eq 10100
port-object eq 10200
port-object eq 10300
port-object eq 20235
!
object-group service WWW-SERVER-SERVICES-UDP-OBJ udp
description --- Serices UDP published on WEB server ----
port-object eq 1812
port-object eq 1813
port-object eq 1845
port-object eq 1846
port-object eq 3799
port-object eq 10100
port-object eq 10200
port-object eq 10300
port-object eq 20235
!
!
!
access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
!
access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ
!
access-group OUTSIDE-IN-ACL in interface outside
To allow the public IP xxx.yyy.zzz.xyz connecting on inside server port TCP 3306 :
access-list OUTSIDE-IN-ACL extended permit tcp host xxx.yyy.zzz.xyz object WWW-SERVER-OBJ eq 3306
By default all ports are closed, will be opened only ports explicitly allowed:
If you want to write explicitly a rule to close port 25 from anywhere to anywhere (Target port TCP 25):
access-list OUTSIDE-IN-ACL line 1 deny tcp any any eq 25
Source Discussion
ASA 5505 Transparent Firewall with a Web server Question