Configuring Cisco ASA 5510 to allow external access to internal web server

Posted on 2009-12-16
Last Modified: 2012-05-08
I believe that the configuration to allow the traffic in is correct. However, I have an addtional access rule the states 'outside-network/30 inside-network/24 http permit'. This just doesn't seem right since I created an additional protocol rule only for https traffic. Should I remove this rule and will it effect other access if I do?

Thanks, Kevin
Question by:Carter_Machinery
    LVL 11

    Expert Comment

    What port is the internal Web server listening on, is it 443 for SSL?  The easiest way to do this assuming you have no other external traffic needing to be routed on that port would we be to set up a NAT where all https traffic that hits the WAN IP address on your the Cisco router is routed to the internal IP address of your web server.

    Author Comment


    I do have a NAT for the https traffic already setup. I am just concerned that I am letting traffic in that shouldn't be allowed with the rule mentioned above.

    Thanks for the reply
    LVL 11

    Accepted Solution

    Well there is one way to find out...remove the rule and if your phone starts to ring later with complaints the rule is being used by other people and you can just add it back to the router.  From my experience with my clients....many of the rules that look suspect are not used any longer and were setup for traffic that is no longer necessary.  If it were me I would remove the rule and then wait and see what happens.  Or your you could monitor the router traffic to a syslog for a few days and see if you see any traffic that utilizing that rule.

    Expert Comment

    as long as the rule is going to a specific host and not your whole /24 subnet  then you should be fine.  rule should look something like the
    access-list standard accesslistname permit tcp any host insidenetworkhostip eq http

    accesslistname is the access list applied to the outside interface
    insidenetworkhostip is your www server.

    Author Closing Comment

    Just removing rules and then seeing what the results might be can be dangerous.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now