Avatar of nebb-alx
 asked on

How to run websites behind a Cisco ASA?

How should one run websites behind a Cisco ASA? Or should we not? Is it better to place it in parallell with the ASA (attached to the same switch) or behind the ASA?

We have a range of external IPs, so if it is possible we would like to use separate IPs for some of the services. Say, the mail server. It must be accessable on smtp, imap and http - preferably via it's own IP.

Any suggestions?
CiscoRoutersNetwork Operations

Avatar of undefined
Last Comment

8/22/2022 - Mon

You can setup a "DMZ" or third interface on the Firewall so the server is not directly accessible from the Internet but also not located on the Internet network.  NAT and access-list configuration is all that is needed at that point.

Just adding onto what JFrederick mentioned -

DMZ is usually the case.  Personally I try not to expose a server or appliance directly on the internet without any type of control mechanism in place.

If you put the server on the DMZ off of the ASA you control access in and out of that server.  Also - if you have and IPS or IDS license with the ASA5510 it will provide a more granular protection scheme for that server.

So anyways - put the server on the dmz then NAT out an available public IP - then open up port 80 on the dmz to your server.


Can you give me a code example?

Say my server is on, my asa on and The latter the Internet range.

I would like to place the server on a dmz and make port 80 available from the Internet on, but the server might host other services that should be available to the inside network.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

I have not been able to try your suggestion yet. Will do that over the weekend!

Should the DMZ have it's own subnet?

Yes, the DMZ should have its own subnet.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

We are currently working on this just now.

Is it possible to have two external (outside) addresses pointing to the same dmz server? pointing to pointing to

We run two web services on the machine and they are configured on, say, port 80 and 81. We would like to route traffic from to and to

We are currently in a situation where we are able to ping the ASA from a server inside the DMZ. That's it.

We have followed the Cisco example above and adapted it to our setup. We have tried pinging from the LAN (inside) to the DMZ server and from the DMZ to the LAN. We have also tried an smtp connection (telnet extip 25) without success...
Result of the command: "show running-config"
: Saved
ASA Version 8.0(3) 
hostname gw01asa
domain-name NN.net
enable password 57KWdsfffEfeqojqh2mBM encrypted
interface Ethernet0/0
 nameif wan
 security-level 0
 ip address 195.x.x.34 
interface Ethernet0/1
 nameif lan
 security-level 100
 ip address 
interface Ethernet0/2
 nameif dmz
 security-level 10
 ip address 
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address 
passwd 2KFQnsfdsfbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup lan
dns server-group DefaultDNS
 domain-name NN.net
access-list wan_access_in extended permit icmp any any echo-reply 
access-list NNASA_splitTunnelAcl standard permit 
access-list lan_nat0_outbound extended permit ip 
access-list nonat extended permit ip any 
access-list wan_int extended permit tcp any host 195.x.x.35 eq smtp 
access-list dmz_int extended permit tcp host any eq smtp 
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu lan 1500
mtu wan 1500
mtu dmz 1500
ip local pool VPN_POOL mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any lan
icmp permit any wan
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (wan) 101 interface
nat (lan) 0 access-list nonat
nat (lan) 101
static (lan,dmz) netmask 
static (dmz,wan) 195.x.x.35 netmask 
access-group wan_int in interface wan
access-group dmz_int in interface dmz
route wan 195.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server NN_KERB protocol kerberos
aaa-server NN_KERB (lan) host
 timeout 5
 kerberos-realm NN.NET
http server enable
http lan
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet management
telnet lan
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd enable management
vpn load-balancing 
 interface lbpublic lan
 interface lbprivate lan
threat-detection basic-threat
threat-detection statistics access-list
 enable wan
 csd image disk0:/securedesktop_asa-
 svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy NNASA internal
group-policy NNASA attributes
 dns-server value
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NNASA_splitTunnelAcl
 default-domain value NN.net
  url-list value NN
  svc ask enable
tunnel-group NNASA type remote-access
tunnel-group NNASA general-attributes
 address-pool VPN_POOL
 authentication-server-group NN_KERB
 default-group-policy NNASA
tunnel-group NNASA webvpn-attributes
 group-alias NN enable
tunnel-group NNASA ipsec-attributes
 pre-shared-key *
tunnel-group NN_SSLVPN type remote-access
tunnel-group NN_SSLVPN general-attributes
 address-pool VPN_POOL
 authentication-server-group NN_KERB
 default-group-policy NNASA
tunnel-group NN_SSLVPN webvpn-attributes
 group-alias NNS disable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window


Okay, we have now managed to sort out a few things.

The only thing not possible right now is an smtp connection from the internet to the dmz mailserver. There seem to be something wrong with the external ip routing to the dmz ip...
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

We are able to connect to the mail server dmz ip via smtp from all other places than inside. How should we configure the device to allow for smtp connections from inside to the external ip.

We do have an ACL saying
object-group service DM_INLINE_SERVICE_2
 service-object icmp echo-reply
 service-object tcp eq smtp
access-list wan_int extended permit object-group DM_INLINE_SERVICE_2 any host 195.x.x.35

After several hours working on this the status is the same. We cannot get the external ip or domain to talk with our inside addresses.

We have routed our.mailserver.com to 195.x.x.35. Accessing our.mailserver.com from the web works perfectly, but from the insde not at all.