asked on
How to run websites behind a Cisco ASA?
How should one run websites behind a Cisco ASA? Or should we not? Is it better to place it in parallell with the ASA (attached to the same switch) or behind the ASA?
We have a range of external IPs, so if it is possible we would like to use separate IPs for some of the services. Say, the mail server. It must be accessable on smtp, imap and http - preferably via it's own IP.
Any suggestions?
We have a range of external IPs, so if it is possible we would like to use separate IPs for some of the services. Say, the mail server. It must be accessable on smtp, imap and http - preferably via it's own IP.
Any suggestions?
CiscoRoutersNetwork Operations
Last Comment
nebb-alx
You can setup a "DMZ" or third interface on the Firewall so the server is not directly accessible from the Internet but also not located on the Internet network. NAT and access-list configuration is all that is needed at that point.
Just adding onto what JFrederick mentioned -
DMZ is usually the case. Personally I try not to expose a server or appliance directly on the internet without any type of control mechanism in place.
If you put the server on the DMZ off of the ASA you control access in and out of that server. Also - if you have and IPS or IDS license with the ASA5510 it will provide a more granular protection scheme for that server.
So anyways - put the server on the dmz then NAT out an available public IP - then open up port 80 on the dmz to your server.
DMZ is usually the case. Personally I try not to expose a server or appliance directly on the internet without any type of control mechanism in place.
If you put the server on the DMZ off of the ASA you control access in and out of that server. Also - if you have and IPS or IDS license with the ASA5510 it will provide a more granular protection scheme for that server.
So anyways - put the server on the dmz then NAT out an available public IP - then open up port 80 on the dmz to your server.
ASKER
Can you give me a code example?
Say my server is on 192.168.1.10, my asa on 192.168.1.1 and 10.0.0.1. The latter the Internet range.
I would like to place the server on a dmz and make port 80 available from the Internet on 10.0.0.2, but the server might host other services that should be available to the inside network.
Say my server is on 192.168.1.10, my asa on 192.168.1.1 and 10.0.0.1. The latter the Internet range.
I would like to place the server on a dmz and make port 80 available from the Internet on 10.0.0.2, but the server might host other services that should be available to the inside network.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I have not been able to try your suggestion yet. Will do that over the weekend!
ASKER
Should the DMZ have it's own subnet?
Yes, the DMZ should have its own subnet.
ASKER
We are currently working on this just now.
Is it possible to have two external (outside) addresses pointing to the same dmz server?
10.0.0.11 pointing to 192.168.0.10
10.0.0.12 pointing to 192.168.0.10
We run two web services on the 192.168.0.10 machine and they are configured on, say, port 80 and 81. We would like to route traffic from 10.0.0.11:80 to 192.168.0.10:80 and 10.0.0.12:80 to 192.168.0.10:81.
Is it possible to have two external (outside) addresses pointing to the same dmz server?
10.0.0.11 pointing to 192.168.0.10
10.0.0.12 pointing to 192.168.0.10
We run two web services on the 192.168.0.10 machine and they are configured on, say, port 80 and 81. We would like to route traffic from 10.0.0.11:80 to 192.168.0.10:80 and 10.0.0.12:80 to 192.168.0.10:81.
ASKER
We are currently in a situation where we are able to ping the ASA from a server inside the DMZ. That's it.
We have followed the Cisco example above and adapted it to our setup. We have tried pinging from the LAN (inside) to the DMZ server and from the DMZ to the LAN. We have also tried an smtp connection (telnet extip 25) without success...
We have followed the Cisco example above and adapted it to our setup. We have tried pinging from the LAN (inside) to the DMZ server and from the DMZ to the LAN. We have also tried an smtp connection (telnet extip 25) without success...
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(3)
!
hostname gw01asa
domain-name NN.net
enable password 57KWdsfffEfeqojqh2mBM encrypted
names
!
interface Ethernet0/0
nameif wan
security-level 0
ip address 195.x.x.34 255.255.255.224
!
interface Ethernet0/1
nameif lan
security-level 100
ip address 192.168.50.29 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 10
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnsfdsfbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup lan
dns server-group DefaultDNS
name-server 192.168.50.2
name-server 192.168.50.4
domain-name NN.net
access-list wan_access_in extended permit icmp any any echo-reply
access-list NNASA_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list lan_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
access-list wan_int extended permit tcp any host 195.x.x.35 eq smtp
access-list dmz_int extended permit tcp host 192.168.200.10 any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu lan 1500
mtu wan 1500
mtu dmz 1500
ip local pool VPN_POOL 192.168.100.100-192.168.100.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any lan
icmp permit any wan
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (wan) 101 interface
nat (lan) 0 access-list nonat
nat (lan) 101 0.0.0.0 0.0.0.0
static (lan,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (dmz,wan) 195.x.x.35 192.168.200.10 netmask 255.255.255.255
access-group wan_int in interface wan
access-group dmz_int in interface dmz
route wan 0.0.0.0 0.0.0.0 195.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server NN_KERB protocol kerberos
aaa-server NN_KERB (lan) host 192.168.50.2
timeout 5
kerberos-realm NN.NET
http server enable
http 192.168.50.0 255.255.255.0 lan
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet 192.168.50.0 255.255.255.0 lan
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
vpn load-balancing
interface lbpublic lan
interface lbprivate lan
threat-detection basic-threat
threat-detection statistics access-list
webvpn
enable wan
csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg
svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy NNASA internal
group-policy NNASA attributes
dns-server value 192.168.50.2 192.168.50.4
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NNASA_splitTunnelAcl
default-domain value NN.net
webvpn
url-list value NN
svc ask enable
tunnel-group NNASA type remote-access
tunnel-group NNASA general-attributes
address-pool VPN_POOL
authentication-server-group NN_KERB
default-group-policy NNASA
tunnel-group NNASA webvpn-attributes
group-alias NN enable
tunnel-group NNASA ipsec-attributes
pre-shared-key *
tunnel-group NN_SSLVPN type remote-access
tunnel-group NN_SSLVPN general-attributes
address-pool VPN_POOL
authentication-server-group NN_KERB
default-group-policy NNASA
tunnel-group NN_SSLVPN webvpn-attributes
group-alias NNS disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e22c4d5bcdb9ed6c1e6ec3b60a1a70d7
: end
ASKER
Okay, we have now managed to sort out a few things.
The only thing not possible right now is an smtp connection from the internet to the dmz mailserver. There seem to be something wrong with the external ip routing to the dmz ip...
The only thing not possible right now is an smtp connection from the internet to the dmz mailserver. There seem to be something wrong with the external ip routing to the dmz ip...
ASKER
We are able to connect to the mail server dmz ip via smtp from all other places than inside. How should we configure the device to allow for smtp connections from inside to the external ip.
We do have an ACL saying
object-group service DM_INLINE_SERVICE_2
service-object icmp echo-reply
service-object tcp eq smtp
access-list wan_int extended permit object-group DM_INLINE_SERVICE_2 any host 195.x.x.35
We do have an ACL saying
object-group service DM_INLINE_SERVICE_2
service-object icmp echo-reply
service-object tcp eq smtp
access-list wan_int extended permit object-group DM_INLINE_SERVICE_2 any host 195.x.x.35
ASKER
After several hours working on this the status is the same. We cannot get the external ip or domain to talk with our inside addresses.
We have routed our.mailserver.com to 195.x.x.35. Accessing our.mailserver.com from the web works perfectly, but from the insde not at all.
We have routed our.mailserver.com to 195.x.x.35. Accessing our.mailserver.com from the web works perfectly, but from the insde not at all.