Solved

Configure DMZ for port 80

Posted on 2014-01-17
15
1,189 Views
Last Modified: 2014-01-21
Hello Pros,

I have this question.

I have created a DMZ that needs port 80 open, how can I do this?

I have a Cisco Firewall 5515x
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)
0
Comment
Question by:Katrach0
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
15 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39790383
I suggest you update to 9.1.4 and asdm 7.1.5-100.

Secondly from where do you need to be port 80 open. Do you have a spare external IP address or do you need to forward port 80 of the interface ip?

The config will be something like this:

object network dmz-server
 host 192.168.25.1
object service http
 service tcp destination eq http


nat (outside,dmz) source static any any destination static interface dmz-server service http http unidirectional no-proxy-arp

access-list dmz_access_in extended permit object http any object dmz-server
access-group dmz_access_in in interface dmz

Open in new window

0
 

Author Comment

by:Katrach0
ID: 39791561
Hello.

There's no way I can upgrade the IOS, it's in production. (I don't want to take any risks) I'd like to do it with what I have.

I have spare IP's I have 2 devices for that DMZ.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39792480
You can use this then:

object network dmz-server-1
 host 192.168.25.1
object network dmz-server-2
 host 192.168.25.2
object network wan-IP-1
 host 1.1.1.1
object network wan-IP-2
 host 1.1.1.2
object service http
 service tcp destination eq http

nat (outside,dmz) source static any any destination static wan-IP-1 dmz-server-1 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static wan-IP-2 dmz-server-2 service http http unidirectional no-proxy-arp

access-list dmz_access_in extended permit object http any object dmz-server-1
access-list dmz_access_in extended permit object http any object dmz-server-2
access-group dmz_access_in in interface dmz

Open in new window

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 39796610
Hi,

You try this configuration on your ASA firewall as below :

ASA(Config-t)#access-list 101 in interface dmz
ASA(Config-t)#access-list 101in interface ip any any port 80

this will open port 80 on dmz server.
0
 

Author Closing Comment

by:Katrach0
ID: 39796691
It worked with this command...

This is how it looks on the fwall.
ASA# sh run nat
object network obj-10.40.1.4
 nat (DMZ,outside) static 91.10.00.01
object network obj-10.40.1.5
 nat (DMZ,outside) static 91.10.11.22
object network obj-10.40.1.3
 nat (DMZ,outside) static 91.10.22.33
!

access-list outside_access_in extended permit tcp any host 10.40.1.3 eq www
access-list outside_access_in extended permit tcp any host 10.40.1.5 eq www
access-list outside_access_in extended permit tcp any host 10.40.1.4 eq www
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39796838
It works but now you have completely natted the external IP with the internal IP instead of just port 80.
0
 

Author Comment

by:Katrach0
ID: 39796861
Henk van Achterberg

"It works but now you have completely natted the external IP with the internal IP instead of just port 80."

I noticed it.
How do I change it?

Thanks.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39796886
object network obj-10.40.1.3
 host 10.40.1.3
object network obj-10.40.1.4
 host 10.40.1.4
object network obj-10.40.1.5
 host 10.40.1.5
 
object network obj-91.10.00.01
 host 91.10.00.01
object network obj-91.10.11.22
 host 91.10.11.22
object network obj-91.10.22.33
 host 91.10.22.33
 object service http
 service tcp destination eq http

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj-10.40.1.3 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static obj-91.10.00.01 obj-10.40.1.4 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static obj-91.10.11.22 obj-10.40.1.5 service http http unidirectional no-proxy-arp

access-list outside_access_in extended permit object http any object obj-10.40.1.3
access-list outside_access_in extended permit object http any object obj-10.40.1.4
access-list outside_access_in extended permit object http any object obj-10.40.1.5
0
 

Author Comment

by:Katrach0
ID: 39797079
When typed this command,
nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj-10.40.1.3 service http http unidirectional no-proxy-arp


 got this error:

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj
-10.40.1.3 service http http unidirectional no-proxy-arp
                                            ^
ERROR: % Invalid input detected at '^' marker.

Any ideas?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39797088
try

 object service NAT-http
 service tcp destination eq http

and

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj
-10.40.1.3 service NAT-http NAT-http unidirectional no-proxy-arp
0
 

Author Comment

by:Katrach0
ID: 39797102
Now I got this:

ERROR: obj doesn't match an existing object or object-group

ASA(config)# $ NAT-http unidirectional no-proxy-arp
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39797108
I think you are going wrong somewhere with the object names. If the one to one nat works you can keep it that way, otherwise you should check if there aren't too much spaces.
0
 

Author Comment

by:Katrach0
ID: 39797137
I'm still trying to figure out NAT.

Why did you mention this? "It works but now you have completely natted the external IP with the internal IP instead of just port 80."
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39797143
when traffic is destined for the public IP address it is translated to the internal IP address.

When you want to open port 443 for example you now only need to make an entry in the access list as the NAT statement is now already present and works for all ports on that IP.
0
 

Author Comment

by:Katrach0
ID: 39797177
I used this:

capture capo type raw-data access-list capo interface outside
ASA# sh cap capo

And it got me this:

331: 10:20:14.658733 MYHOMEIP.34885 > 91.10.22.33.80: S 2255167670:2255167670(0) win 8192 <mss 1260,nop,nop,sackOK>
 332: 50:10:20.491235  MYHOMEIP.39058 > 91.10.22.33.80: S 882175291:882175291(0) win 8192 <mss 1260,nop,nop,sackOK>
 333: 10:20:20.661327 MYHOMEIP.34885 > 91.10.22.33.80: S 2255167670:2255167670(0) win 8192 <mss 1260,nop,nop,sackOK>
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question