01-20-2018 07:13 AM - edited 03-12-2019 04:55 AM
Hello Techies,
I have a server I want to be accessible from the internet. I have a /29 IP address from my Service Provider and I intend to use one of the IPs. How do I go about this. I have seen port forwarding configs online but I do not want to port forward specific ports, I want all ports to be open. I want something more like a DMZ. My server is behind an ASA 5515x. Kindly drop a message to assist in achieving this.
Thank you.
Solved! Go to Solution.
01-20-2018 07:26 AM
Hi, here is an example for you:
Note your interface names (INSIDE, OUTSIDE etc) maybe different.
\\ Define an object, add the real ip address (host) and the natted IP address.
object network SVR01
host 192.168.10.5
nat (INSIDE,OUTSIDE) static 1.1.1.10
\\ Create the ACL ensure you select the object name you created above
access-list OUTSIDE_IN extended permit tcp any object SVR01 eq www
access-list OUTSIDE_IN extended permit tcp any object SVR01 eq https
\\ Apply the ACL to the outside interface
access-group OUTSIDE_IN in interface OUTSIDE
01-20-2018 08:22 AM
Try using packet tracer this may indicate where the issue is. Also, is their a local firewall turned on the server? Does this server route outbound traffic via the ASA?
Also check:
"show conn detail"- do you see the inbound connections to that server?
"show nat" - do you see any untranslated hits?
"show access-list" - do you see any hits on the rule you created?
01-23-2018 06:53 AM - edited 09-21-2018 04:43 AM
Hello RJI,
Its fixed!
1. I checked the hits on my access-lists and saw 0. Obvious that something was wrong.
2. Local firewall (public) was turned on, I turned it off on the server.
3. I somewhat did not type the most important part of the config. The NAT to the outside address.
// nat (inside,outside) static 41.x.x.x
I did these and voila, It was fine!!!
Thanks so much RJI, you've been twice helpful!
01-20-2018 07:26 AM
Hi, here is an example for you:
Note your interface names (INSIDE, OUTSIDE etc) maybe different.
\\ Define an object, add the real ip address (host) and the natted IP address.
object network SVR01
host 192.168.10.5
nat (INSIDE,OUTSIDE) static 1.1.1.10
\\ Create the ACL ensure you select the object name you created above
access-list OUTSIDE_IN extended permit tcp any object SVR01 eq www
access-list OUTSIDE_IN extended permit tcp any object SVR01 eq https
\\ Apply the ACL to the outside interface
access-group OUTSIDE_IN in interface OUTSIDE
01-20-2018 07:33 AM
Hello RJI,
The Server is an application server. It will not be accessed over web browsers specifically. So I think specifying port protocols such as HTTPS and WWW may not be the way to go. The remote users of the server have a desktop application they use to access it. What they need to do is change the IP address to the public IP. I intend to NAT the private IP to. My thought is, I hope limiting them to https and www will not make the server inaccessible?
01-20-2018 07:39 AM
My suggestion was purely an example for you to use to base your configuration on. What ports are required to be open for the application to work?
Do you really want to be opening this application to the internet? It maybe more secure in implementing a Remote Access VPN on the ASA, forcing the users to connect securely by encrypting communication.
01-20-2018 07:42 AM
I think I will just do this and not define ports. Perhaps all ports will be accessible.
object network My-Server
host 192.168.x.x
nat (inside,outside) static 41.x.x.x
//access-list SERVER_OUTSIDE_IN extended permit tcp any object My-Server
access-group SERVER_OUTSIDE_IN in interface outside
01-20-2018 07:49 AM
Yes, that will work, but as I said before I personally don't recommend it at all, it's not good practice.
01-20-2018 08:00 AM - edited 01-23-2018 06:57 AM
I later changed my mind and defined ports.
One more thing. I have a /29 IP from my Service Provider. My outside interface is configured
41.x.x.12/29. I am using an outside address of 41.x.x.13 for the outside address of the Server. I am testing it from www.ping.eu (doing port checks). Ping.eu says the ports are closed. This ports that I am testing are listening ports on the server and they are the same ports defined on the ASA config. I tested the same ports locally and they are accessible. It seems like something is missing or I'm doing the wrong thing.
01-20-2018 08:22 AM
Try using packet tracer this may indicate where the issue is. Also, is their a local firewall turned on the server? Does this server route outbound traffic via the ASA?
Also check:
"show conn detail"- do you see the inbound connections to that server?
"show nat" - do you see any untranslated hits?
"show access-list" - do you see any hits on the rule you created?
01-23-2018 06:53 AM - edited 09-21-2018 04:43 AM
Hello RJI,
Its fixed!
1. I checked the hits on my access-lists and saw 0. Obvious that something was wrong.
2. Local firewall (public) was turned on, I turned it off on the server.
3. I somewhat did not type the most important part of the config. The NAT to the outside address.
// nat (inside,outside) static 41.x.x.x
I did these and voila, It was fine!!!
Thanks so much RJI, you've been twice helpful!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide