cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
969
Views
0
Helpful
8
Replies

MAKE SERVER ACCESSIBLE FROM THE OUTSIDE (INTERNET)

Jesutofunmi O
Level 1
Level 1

Hello Techies,

 

I have a server I want to be accessible from the internet. I have a /29 IP address from my Service Provider and I intend to use one of the IPs. How do I go about this. I have seen port forwarding configs online but I do not want to port forward specific ports, I want all ports to be open. I want something more like a DMZ. My server is behind an ASA 5515x. Kindly drop a message to assist in achieving this.

 

Thank you.

3 Accepted Solutions

Accepted Solutions

Hi, here is an example for you:

 

Note your interface names (INSIDE, OUTSIDE etc) maybe different.

 

\\ Define an object, add the real ip address (host) and the natted IP address.

object network SVR01
 host 192.168.10.5
 nat (INSIDE,OUTSIDE) static 1.1.1.10

 

\\ Create the ACL ensure you select the object name you created above
access-list OUTSIDE_IN extended permit tcp any object SVR01 eq www
access-list OUTSIDE_IN extended permit tcp any object SVR01 eq https

 

\\ Apply the ACL to the outside interface
access-group OUTSIDE_IN in interface OUTSIDE

View solution in original post

Try using packet tracer this may indicate where the issue is. Also, is their a local firewall turned on the server? Does this server route outbound traffic via the ASA?

 

Also check:

"show conn detail"- do you see the inbound connections to that server?

"show nat" - do you see any untranslated hits?

"show access-list" - do you see any hits on the rule you created?

View solution in original post

Hello RJI,

 

Its fixed!

1. I checked the hits on my access-lists and saw 0. Obvious that something was wrong.
2. Local firewall (public) was turned on, I turned it off on the server.

3. I somewhat did not type the most important part of the config. The NAT to the outside address.

// nat (inside,outside) static 41.x.x.x

 

I did these and voila, It was fine!!!

 

Thanks so much RJI, you've been twice helpful!

View solution in original post

8 Replies 8

Hi, here is an example for you:

 

Note your interface names (INSIDE, OUTSIDE etc) maybe different.

 

\\ Define an object, add the real ip address (host) and the natted IP address.

object network SVR01
 host 192.168.10.5
 nat (INSIDE,OUTSIDE) static 1.1.1.10

 

\\ Create the ACL ensure you select the object name you created above
access-list OUTSIDE_IN extended permit tcp any object SVR01 eq www
access-list OUTSIDE_IN extended permit tcp any object SVR01 eq https

 

\\ Apply the ACL to the outside interface
access-group OUTSIDE_IN in interface OUTSIDE

Hello RJI,

 

The Server is an application server. It will not be accessed over web browsers specifically. So I think specifying port protocols such as HTTPS and WWW may not be the way to go. The remote users of the server have a desktop application they use to access it. What they need to do is change the IP address to the public IP. I intend to NAT the private IP to. My thought is, I hope limiting them to https and www will not make the server inaccessible?

My suggestion was purely an example for you to use to base your configuration on. What ports are required to be open for the application to work?

 

Do you really want to be opening this application to the internet? It maybe more secure in implementing a Remote Access VPN on the ASA, forcing the users to connect securely by encrypting communication.

I think I will just do this and not define ports. Perhaps all ports will be accessible.

 

object network My-Server
host 192.168.x.x
nat (inside,outside) static 41.x.x.x

 

//access-list SERVER_OUTSIDE_IN extended permit tcp any object My-Server

 

access-group SERVER_OUTSIDE_IN in interface outside

Yes, that will work, but as I said before I personally don't recommend it at all, it's not good practice.

I later changed my mind and defined ports.

 

One more thing. I have a /29 IP from my Service Provider. My outside interface is configured

41.x.x.12/29. I am using an outside address of 41.x.x.13 for the outside address of the Server.  I am testing it from www.ping.eu (doing port checks). Ping.eu says the ports are closed. This ports that I am testing are listening ports on the server and they are the same ports defined on the ASA config. I tested the same ports locally and they are accessible. It seems like something is missing or I'm doing the wrong thing.

 

 

Try using packet tracer this may indicate where the issue is. Also, is their a local firewall turned on the server? Does this server route outbound traffic via the ASA?

 

Also check:

"show conn detail"- do you see the inbound connections to that server?

"show nat" - do you see any untranslated hits?

"show access-list" - do you see any hits on the rule you created?

Hello RJI,

 

Its fixed!

1. I checked the hits on my access-lists and saw 0. Obvious that something was wrong.
2. Local firewall (public) was turned on, I turned it off on the server.

3. I somewhat did not type the most important part of the config. The NAT to the outside address.

// nat (inside,outside) static 41.x.x.x

 

I did these and voila, It was fine!!!

 

Thanks so much RJI, you've been twice helpful!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: