ASA Firewall and Web Server Help!!!

Discussion in 'Cisco' started by david_monterde@hotmail.com, Oct 13, 2008.

  1. Guest

    Hello! Many tanks for the help and really sorry my english. Ok, this
    is my problem:

    In my corporation we have an ASA 5520 and actually is redirecting all
    the www traffic to an ip located in my DMZ but i need that this
    traffic are sent to a host in my internal network. I have read too
    much and tried a lot of configurations but nothing works to me. This
    is an example of my config:

    ######################
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 200.23.158.12 255.255.255.240
    !
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 10.10.0.1 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif dmz
    security-level 50
    ip address 172.16.172.1 255.255.255.0
    !
    ##########This is the ACL i used#################
    ....
    access-list outside_access_in extended permit tcp any host 10.10.13.83
    eq www
    ....
    ###################10.10.13.83 is the host were apache is installed i
    need this as web server##############
    ....
    static (inside,outside) tcp 200.23.158.12 www 10.10.13.83 www netmask
    255.255.255.255
    ....
    #####Here is where i assign the acl to the outside int##########
    access-group outside_access_in in interface outside

    Well this is my config in the ASA i tried a lot of more configs but
    doesn't works. I changed the port of the ACLs, Apache and NAT to 10800
    for example and neither works. I need more than 1 web server in my
    domain can anyone explain me how, please?

    Many many thanks for your help.
    , Oct 13, 2008
    #1
    1. Advertising

  2. Al Guest

    On Oct 14, 1:32 pm, Artie Lange <> wrote:
    > wrote:
    > > Hello! Many tanks for the help and really sorry my english. Ok, this
    > > is my problem:

    >
    > > In my corporation we have an ASA 5520 and actually is redirecting all
    > > the www traffic to an ip located in my DMZ but i need that this
    > > traffic are sent to a host in my internal network. I have read too
    > > much and tried a lot of configurations but nothing works to me. This
    > > is an example of my config:

    >
    > > ######################
    > > interface GigabitEthernet0/0
    > >  nameif outside
    > >  security-level 0
    > >  ip address 200.23.158.12 255.255.255.240
    > > !
    > > interface GigabitEthernet0/1
    > >  nameif inside
    > >  security-level 100
    > >  ip address 10.10.0.1 255.255.255.0
    > > !
    > > interface GigabitEthernet0/2
    > >  nameif dmz
    > >  security-level 50
    > >  ip address 172.16.172.1 255.255.255.0
    > > !
    > > ##########This is the ACL i used#################
    > > ...
    > > access-list outside_access_in extended permit tcp any host 10.10.13.83
    > > eq www
    > > ...
    > > ###################10.10.13.83 is the host were apache is installed i
    > > need this as web server##############
    > > ...
    > > static (inside,outside) tcp 200.23.158.12 www 10.10.13.83 www netmask
    > > 255.255.255.255
    > > ...
    > > #####Here is where i assign the acl to the outside int##########
    > > access-group outside_access_in in interface outside

    >
    > > Well this is my config in the ASA i tried a lot of more configs but
    > > doesn't works. I changed the port of the ACLs, Apache and NAT to 10800
    > > for example and neither works. I need more than 1 web server in my
    > > domain can anyone explain me how, please?

    >
    > > Many many thanks for your help.

    >
    > Did you also remove the static entry and ACL for when the webserver was
    > in your DMZ?
    >
    > Can you post more of your config to see if anything is overlapping?


    I believe you have to use the NAT'd IP in the ACL as the ACL is
    processed first. e.g.

    access-list outside_access_in extended permit tcp any host
    200.23.158.12 eq www

    Another possible issue is your apparent use of the interface IP - we
    have found that using the IP rather than the interface in the static
    command can prevent it working, though I'm not sure if this was an OS
    bug. The syntax for that would be something like:

    static (inside,outside) tcp interface www 10.10.13.83 www netmask
    255.255.255.255

    See the following for an example (which uses RDP, but the concept is
    similar):
    http://www.cisco.com/en/US/products...s_configuration_example09186a00807d287e.shtml

    I generally find using the ASDM logging feature very useful for
    problems like this. And to echo the previous poster, posting a fuller
    config (minus logins, etc as appropriate) here may help if the above
    tips don't.

    As a general point - you can only forward tcp/80 on the outside IP to
    one internal device, so any additional web servers would have to run
    on non-standard ports, or you have to get more public IPs to use.

    Regards,

    Al
    Al, Oct 14, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sean
    Replies:
    2
    Views:
    1,535
    S. Gione
    Feb 27, 2004
  2. Replies:
    3
    Views:
    809
  3. Replies:
    1
    Views:
    3,339
  4. Tilman Schmidt
    Replies:
    0
    Views:
    3,238
    Tilman Schmidt
    Jan 24, 2008
  5. vladsd

    Web server behind ASA

    vladsd, Jun 26, 2008, in forum: Cisco
    Replies:
    0
    Views:
    445
    vladsd
    Jun 26, 2008
Loading...

Share This Page