Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ASA Firewall and Web Server Help!!!

Reply
Thread Tools

ASA Firewall and Web Server Help!!!

 
 
david_monterde@hotmail.com
Guest
Posts: n/a
 
      10-13-2008
Hello! Many tanks for the help and really sorry my english. Ok, this
is my problem:

In my corporation we have an ASA 5520 and actually is redirecting all
the www traffic to an ip located in my DMZ but i need that this
traffic are sent to a host in my internal network. I have read too
much and tried a lot of configurations but nothing works to me. This
is an example of my config:

######################
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 200.23.158.12 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 172.16.172.1 255.255.255.0
!
##########This is the ACL i used#################
....
access-list outside_access_in extended permit tcp any host 10.10.13.83
eq www
....
###################10.10.13.83 is the host were apache is installed i
need this as web server##############
....
static (inside,outside) tcp 200.23.158.12 www 10.10.13.83 www netmask
255.255.255.255
....
#####Here is where i assign the acl to the outside int##########
access-group outside_access_in in interface outside

Well this is my config in the ASA i tried a lot of more configs but
doesn't works. I changed the port of the ACLs, Apache and NAT to 10800
for example and neither works. I need more than 1 web server in my
domain can anyone explain me how, please?

Many many thanks for your help.
 
Reply With Quote
 
 
 
 
Al
Guest
Posts: n/a
 
      10-14-2008
On Oct 14, 1:32*pm, Artie Lange <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > Hello! Many tanks for the help and really sorry my english. Ok, this
> > is my problem:

>
> > In my corporation we have an ASA 5520 and actually is redirecting all
> > the www traffic to an ip located in my DMZ but i need that this
> > traffic are sent to a host in my internal network. I have read too
> > much and tried a lot of configurations but nothing works to me. This
> > is an example of my config:

>
> > ######################
> > interface GigabitEthernet0/0
> > *nameif outside
> > *security-level 0
> > *ip address 200.23.158.12 255.255.255.240
> > !
> > interface GigabitEthernet0/1
> > *nameif inside
> > *security-level 100
> > *ip address 10.10.0.1 255.255.255.0
> > !
> > interface GigabitEthernet0/2
> > *nameif dmz
> > *security-level 50
> > *ip address 172.16.172.1 255.255.255.0
> > !
> > ##########This is the ACL i used#################
> > ...
> > access-list outside_access_in extended permit tcp any host 10.10.13.83
> > eq www
> > ...
> > ###################10.10.13.83 is the host were apache is installed i
> > need this as web server##############
> > ...
> > static (inside,outside) tcp 200.23.158.12 www 10.10.13.83 www netmask
> > 255.255.255.255
> > ...
> > #####Here is where i assign the acl to the outside int##########
> > access-group outside_access_in in interface outside

>
> > Well this is my config in the ASA i tried a lot of more configs but
> > doesn't works. I changed the port of the ACLs, Apache and NAT to 10800
> > for example and neither works. I need more than 1 web server in my
> > domain can anyone explain me how, please?

>
> > Many many thanks for your help.

>
> Did you also remove the static entry and ACL for when the webserver was
> in your DMZ?
>
> Can you post more of your config to see if anything is overlapping?


I believe you have to use the NAT'd IP in the ACL as the ACL is
processed first. e.g.

access-list outside_access_in extended permit tcp any host
200.23.158.12 eq www

Another possible issue is your apparent use of the interface IP - we
have found that using the IP rather than the interface in the static
command can prevent it working, though I'm not sure if this was an OS
bug. The syntax for that would be something like:

static (inside,outside) tcp interface www 10.10.13.83 www netmask
255.255.255.255

See the following for an example (which uses RDP, but the concept is
similar):
http://www.cisco.com/en/US/products/...807d287e.shtml

I generally find using the ASDM logging feature very useful for
problems like this. And to echo the previous poster, posting a fuller
config (minus logins, etc as appropriate) here may help if the above
tips don't.

As a general point - you can only forward tcp/80 on the outside IP to
one internal device, so any additional web servers would have to run
on non-standard ports, or you have to get more public IPs to use.

Regards,

Al
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN Tilman Schmidt Cisco 5 02-18-2008 12:07 PM
IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Tilman Schmidt Cisco 0 01-24-2008 10:49 AM
ASA 5505 as hardware vpn client to PIX 501 or ASA 5505 with network extension mode activated bjorn@kumlait.se Cisco 1 06-17-2007 12:43 PM
WCCP on ASA & traffic between physical interfaces on ASA apsolar@gmail.com Cisco 3 02-15-2007 12:16 AM
RMI client behind a firewall, server behind a firewall too Robert Dodier Java 6 09-14-2004 09:23 PM



Advertisments