[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Configuring Cisco ASA 5510 to allow external access to internal web server

Posted on 2009-12-16
Medium Priority
Last Modified: 2012-05-08
I believe that the configuration to allow the traffic in is correct. However, I have an addtional access rule the states 'outside-network/30 inside-network/24 http permit'. This just doesn't seem right since I created an additional protocol rule only for https traffic. Should I remove this rule and will it effect other access if I do?

Thanks, Kevin
Question by:Carter_Machinery
  • 2
  • 2
LVL 11

Expert Comment

ID: 26064384
What port is the internal Web server listening on, is it 443 for SSL?  The easiest way to do this assuming you have no other external traffic needing to be routed on that port would we be to set up a NAT where all https traffic that hits the WAN IP address on your the Cisco router is routed to the internal IP address of your web server.

Author Comment

ID: 26064679

I do have a NAT for the https traffic already setup. I am just concerned that I am letting traffic in that shouldn't be allowed with the rule mentioned above.

Thanks for the reply
LVL 11

Accepted Solution

Patmac951 earned 375 total points
ID: 26064812
Well there is one way to find out...remove the rule and if your phone starts to ring later with complaints the rule is being used by other people and you can just add it back to the router.  From my experience with my clients....many of the rules that look suspect are not used any longer and were setup for traffic that is no longer necessary.  If it were me I would remove the rule and then wait and see what happens.  Or your you could monitor the router traffic to a syslog for a few days and see if you see any traffic that utilizing that rule.

Expert Comment

ID: 26066406
as long as the rule is going to a specific host and not your whole /24 subnet  then you should be fine.  rule should look something like the
access-list standard accesslistname permit tcp any host insidenetworkhostip eq http

accesslistname is the access list applied to the outside interface
insidenetworkhostip is your www server.

Author Closing Comment

ID: 31666870
Just removing rules and then seeing what the results might be can be dangerous.

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month19 days, 22 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question