Solved

Configure DMZ for port 80

Posted on 2014-01-17
15
1,197 Views
Last Modified: 2014-01-21
Hello Pros,

I have this question.

I have created a DMZ that needs port 80 open, how can I do this?

I have a Cisco Firewall 5515x
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)
0
Comment
Question by:Katrach0
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
15 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39790383
I suggest you update to 9.1.4 and asdm 7.1.5-100.

Secondly from where do you need to be port 80 open. Do you have a spare external IP address or do you need to forward port 80 of the interface ip?

The config will be something like this:

object network dmz-server
 host 192.168.25.1
object service http
 service tcp destination eq http


nat (outside,dmz) source static any any destination static interface dmz-server service http http unidirectional no-proxy-arp

access-list dmz_access_in extended permit object http any object dmz-server
access-group dmz_access_in in interface dmz

Open in new window

0
 

Author Comment

by:Katrach0
ID: 39791561
Hello.

There's no way I can upgrade the IOS, it's in production. (I don't want to take any risks) I'd like to do it with what I have.

I have spare IP's I have 2 devices for that DMZ.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39792480
You can use this then:

object network dmz-server-1
 host 192.168.25.1
object network dmz-server-2
 host 192.168.25.2
object network wan-IP-1
 host 1.1.1.1
object network wan-IP-2
 host 1.1.1.2
object service http
 service tcp destination eq http

nat (outside,dmz) source static any any destination static wan-IP-1 dmz-server-1 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static wan-IP-2 dmz-server-2 service http http unidirectional no-proxy-arp

access-list dmz_access_in extended permit object http any object dmz-server-1
access-list dmz_access_in extended permit object http any object dmz-server-2
access-group dmz_access_in in interface dmz

Open in new window

0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 39796610
Hi,

You try this configuration on your ASA firewall as below :

ASA(Config-t)#access-list 101 in interface dmz
ASA(Config-t)#access-list 101in interface ip any any port 80

this will open port 80 on dmz server.
0
 

Author Closing Comment

by:Katrach0
ID: 39796691
It worked with this command...

This is how it looks on the fwall.
ASA# sh run nat
object network obj-10.40.1.4
 nat (DMZ,outside) static 91.10.00.01
object network obj-10.40.1.5
 nat (DMZ,outside) static 91.10.11.22
object network obj-10.40.1.3
 nat (DMZ,outside) static 91.10.22.33
!

access-list outside_access_in extended permit tcp any host 10.40.1.3 eq www
access-list outside_access_in extended permit tcp any host 10.40.1.5 eq www
access-list outside_access_in extended permit tcp any host 10.40.1.4 eq www
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39796838
It works but now you have completely natted the external IP with the internal IP instead of just port 80.
0
 

Author Comment

by:Katrach0
ID: 39796861
Henk van Achterberg

"It works but now you have completely natted the external IP with the internal IP instead of just port 80."

I noticed it.
How do I change it?

Thanks.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39796886
object network obj-10.40.1.3
 host 10.40.1.3
object network obj-10.40.1.4
 host 10.40.1.4
object network obj-10.40.1.5
 host 10.40.1.5
 
object network obj-91.10.00.01
 host 91.10.00.01
object network obj-91.10.11.22
 host 91.10.11.22
object network obj-91.10.22.33
 host 91.10.22.33
 object service http
 service tcp destination eq http

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj-10.40.1.3 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static obj-91.10.00.01 obj-10.40.1.4 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static obj-91.10.11.22 obj-10.40.1.5 service http http unidirectional no-proxy-arp

access-list outside_access_in extended permit object http any object obj-10.40.1.3
access-list outside_access_in extended permit object http any object obj-10.40.1.4
access-list outside_access_in extended permit object http any object obj-10.40.1.5
0
 

Author Comment

by:Katrach0
ID: 39797079
When typed this command,
nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj-10.40.1.3 service http http unidirectional no-proxy-arp


 got this error:

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj
-10.40.1.3 service http http unidirectional no-proxy-arp
                                            ^
ERROR: % Invalid input detected at '^' marker.

Any ideas?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39797088
try

 object service NAT-http
 service tcp destination eq http

and

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj
-10.40.1.3 service NAT-http NAT-http unidirectional no-proxy-arp
0
 

Author Comment

by:Katrach0
ID: 39797102
Now I got this:

ERROR: obj doesn't match an existing object or object-group

ASA(config)# $ NAT-http unidirectional no-proxy-arp
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39797108
I think you are going wrong somewhere with the object names. If the one to one nat works you can keep it that way, otherwise you should check if there aren't too much spaces.
0
 

Author Comment

by:Katrach0
ID: 39797137
I'm still trying to figure out NAT.

Why did you mention this? "It works but now you have completely natted the external IP with the internal IP instead of just port 80."
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39797143
when traffic is destined for the public IP address it is translated to the internal IP address.

When you want to open port 443 for example you now only need to make an entry in the access list as the NAT statement is now already present and works for all ports on that IP.
0
 

Author Comment

by:Katrach0
ID: 39797177
I used this:

capture capo type raw-data access-list capo interface outside
ASA# sh cap capo

And it got me this:

331: 10:20:14.658733 MYHOMEIP.34885 > 91.10.22.33.80: S 2255167670:2255167670(0) win 8192 <mss 1260,nop,nop,sackOK>
 332: 50:10:20.491235  MYHOMEIP.39058 > 91.10.22.33.80: S 882175291:882175291(0) win 8192 <mss 1260,nop,nop,sackOK>
 333: 10:20:20.661327 MYHOMEIP.34885 > 91.10.22.33.80: S 2255167670:2255167670(0) win 8192 <mss 1260,nop,nop,sackOK>
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question