5 Replies Latest reply: May 18, 2019 11:22 AM by Juergen Ilse CCNA R&S RSS

    Publish Web Server on ASA 5505

    Hieu

      Hello everyone, I am a newbie and I have a lab like this: I can't Publish this Web Server to Outside. I hope everyone helps me, please. Thank you very much.  During the discussion, I sincerely apologize for my English and my knowledge.


           lab2.png

           Inside ISP CLUSTER:

           cluster2.png


      IP ON ASA:

      - Ip Address of Web server: 172.24.46.2

      - Ip et0/2 172.24.46.1 (DMZ-VLAN3)

      - Ip et0/0: 10.1.70.2 (Inside-VLAN1)

      - Ip et0/1: 10.1.90.3 (Outside-VLAN2)


      IP ON ROUTER:

      - Ip g0/1: 123.123.1.1

      - Ip g0/0: 10.1.90.1

           ** This is Router's Running config:


      RR.png

          

           RR2.png


      IP ON SW Layer 3:

      - Ip Fa0/3: 10.1.70.1




      I have trouble with ASA Firewall with publishing web server to the internet. I created 3 VLAN including Inside, Outside and DMZ on ASA. Moreover, I also create 3 object network are LAN, DMZ, and WebServer with subnet and host like this picture:

           webobject.png

       

      I also NAT on these objects and I use the address 123.123.1.3

           in the range 123.123.1.0/29 as the host:

      natob.png

       

       

      And this is my ACL and route on ASA:

      accl.png


      This is int VLAN:

           INTVLAN.png

        • 1. Re: Publish Web Server on ASA 5505
          Mustafa

          hi,

          suggest to post this on 2nd community group "CCNA Security Study Group

          M

          • 2. Re: Publish Web Server on ASA 5505
            Juergen Ilse CCNA R&S

            Hieu schrieb:

             

            Hello everyone, I am a newbie and I have a lab like this: I can't Publish this Web Server to Outside. I hope everyone helps me, please. Thank you very much.  During the discussion, I sincerely apologize for my English and my knowledge.

            First of all: Yes, this question would be better placed in the CCNA Security Group.

            Now to your question: Why do you make NAT on the router? The ASA can do NAT much better and more flexible than an IOS router.

            So my suggestion would be t remove the 2911 router completely from your topology and connect the outside interface of your ASA directly to the ethernet line to the ISP. In this case, the outside interface of your ASA will have ip address 123.123.0.1/29 and its default-gateway would be the ip address of the ISP router (which you have not provided in your provided information).

            Btw.: it would have been better, if you would have specified that ip address also in the default route of your router, if you really want to include that router in your topology, because it is very bad practice to let the default-route only to an ethernet interface without specifying an ip next-hop address ... If you only specify the interface and no ip next-hop, the configuration will rely on enabled proxy-arp on the ISP router, and you shouldn't rely on that, because the ISP router is not under your administration ... Another disadvantage would be, that with your configuration, the arp table of your 2911 router will be filled up unnecessarily with internet ip addresses. If you specify the ISP ip address as ip next-hop, you will instead only have the ISP ip address as arp entry for interface Gi0/1. This part about specifying default-route always with specifying ip next-hop address (if possible), may be part of CCNA R&S knowledge.

             

            Now my suggestion for the ASA configuration (only the relevant parts and without the default-route, because you haven't told the ISP ip address, which i would need for specifying the default-route on the ASA.

             

            nat (outside,DMZ) source static any any destination static WebServerOutside WebServerInside unidirectional

            object network DMZ

                 subnet 172.46.24.0 255.255.255.0

                 nat (DMZ,Outside) dynamic interface

            object network WebServerInside

                 host 172.46.24.2

            object network WeberverOutside

                 host 123.123.1.1

            object network InsideSupernet

                 subnet 10.1.0.0 255.255.0.0

                 nat (inside,outside) dynamic interface

            access-list from-outside extended permit tcp any object WebServerInside eq 80

            access-list from-outside extended permit icmp any object WebServerInside

            access-group from-outside in interface Outside

            route Inside 10.1.10.0 255.255.255.0 10.1.70.1

            route Inside 10.1.20.0 255.255.255.0 10.1.70.1

            route Inside 10.1.30.0 255.255.255.0 10.1.70.1

            route Inside 10.1.40.0 255.255.255.0 10.1.70.1

            route Inside 10.1.50.0 255.255.255.0 10.1.70.1

            route Inside 10.1.60.0 255.255.255.0 10.1.70.1

             

            Static nat rules are bidirectional by default, but since i used the keyword "unidirectional" for the access to the webserver from outside, it would even be possible to use "interface" instead of "WebServerOutside", so that every connection from outside to the ip address of the outside interface of the ASA will be redirected to your webserver in the DMZ.

            I hope, this answer (with removing 2911 router from the topology) will be helpful for you. But even if you want to leave the 2911 router in your topology, you can (with a configuration similar to my suggestion) realize the configuration of nat on 2911 with only static NAT without PAT.

            • 3. Re: Publish Web Server on ASA 5505
              Juergen Ilse CCNA R&S

              What i forgot to mention (even if i corrected that point in my suggestion of a different topology):

              Sinc ASA firmware 8.3 you have to specify in ACLs the "real dstination" of a packet. Even if the packet was destined to the "outside nat addres", you have to specify the "inside address of your webserver" in the permit statement in your ACL. So in your current configuration, you have to change:

                   access-list out_to_dmz extended permit tcp any host 123.123.1.3 eq www

              to

                   access-list out_to_dmz extended permit any host 172.24.46.2 eq www

              • 4. Re: Publish Web Server on ASA 5505
                Hieu

                Wow. It worked. Thank you for your help. You are so cool. I'm also planning to do a lab with 2 firewalls. After all,  Thank you very much

                • 5. Re: Publish Web Server on ASA 5505
                  Juergen Ilse CCNA R&S

                  I'm glad, that i could help. Why did you isert the router in your design? Was it, because you didn't know about all the cool nat possibilities of a cisco ASA (which are much more, than the nat possiobilities of an IOS router)? Or did you use the router as "media converter", because the ASA5505 has fastethernet ports only, and if the line towards ISP is gigabit only (in that case, i would prefer to use a switch instead of a router)?

                  Just for the records: If you remove the keyword unidirection from the nat rule for the webserver, outgoing traffic from your webserver will also be natted behind the "outside nat address" of the webserver and not behind the outside interface ip of the ASA (like with the unidirectional keyword). But in that case, you really need a separate "outside ip" for the webserver, and you can't use the outside interface ip address for both: dynamic nat for the inside networks and static nat for making the webserver accessible from the internet at the same time.

                  If you want to make more than one service accessible from the internet, which run on different servers, you may restrict the twice nat rule for the webserver one service and add also such nat rules for the other services:

                   

                  object service HTTP

                       service tcp destination eq www

                  object service SMTP

                       service tcp destination eq smtp

                  object service POP3

                       service tcp destination eq pop3

                  object service IMAP4

                       service tcp destination eq imap4

                  nat (outside,DMZ) source static any any destination static WebServerOutside WebServerInside service HTTP HTTP unidirectional

                  nat (outside,DMZ) source static any any destination static MailServerOutside WebServerInside service SMTP SMTP unidirectional

                  nat (outside,DMZ) source static any any destination static MailServerOutside WebServerInside service POP3 POP3 unidirectional

                  nat (outside,DMZ) source static any any destination static MailServerOutside WebServerInside service IMAP4 IMAP4 unidirectional

                   

                  And it would be nice, if you mark my answer as helpful or correct, if it was helpful for you, thanks.