?
Solved

Configure DMZ for port 80

Posted on 2014-01-17
15
Medium Priority
?
1,210 Views
Last Modified: 2014-01-21
Hello Pros,

I have this question.

I have created a DMZ that needs port 80 open, how can I do this?

I have a Cisco Firewall 5515x
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)
0
Comment
Question by:Katrach0
  • 7
  • 7
15 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39790383
I suggest you update to 9.1.4 and asdm 7.1.5-100.

Secondly from where do you need to be port 80 open. Do you have a spare external IP address or do you need to forward port 80 of the interface ip?

The config will be something like this:

object network dmz-server
 host 192.168.25.1
object service http
 service tcp destination eq http


nat (outside,dmz) source static any any destination static interface dmz-server service http http unidirectional no-proxy-arp

access-list dmz_access_in extended permit object http any object dmz-server
access-group dmz_access_in in interface dmz

Open in new window

0
 

Author Comment

by:Katrach0
ID: 39791561
Hello.

There's no way I can upgrade the IOS, it's in production. (I don't want to take any risks) I'd like to do it with what I have.

I have spare IP's I have 2 devices for that DMZ.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 2000 total points
ID: 39792480
You can use this then:

object network dmz-server-1
 host 192.168.25.1
object network dmz-server-2
 host 192.168.25.2
object network wan-IP-1
 host 1.1.1.1
object network wan-IP-2
 host 1.1.1.2
object service http
 service tcp destination eq http

nat (outside,dmz) source static any any destination static wan-IP-1 dmz-server-1 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static wan-IP-2 dmz-server-2 service http http unidirectional no-proxy-arp

access-list dmz_access_in extended permit object http any object dmz-server-1
access-list dmz_access_in extended permit object http any object dmz-server-2
access-group dmz_access_in in interface dmz

Open in new window

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 39796610
Hi,

You try this configuration on your ASA firewall as below :

ASA(Config-t)#access-list 101 in interface dmz
ASA(Config-t)#access-list 101in interface ip any any port 80

this will open port 80 on dmz server.
0
 

Author Closing Comment

by:Katrach0
ID: 39796691
It worked with this command...

This is how it looks on the fwall.
ASA# sh run nat
object network obj-10.40.1.4
 nat (DMZ,outside) static 91.10.00.01
object network obj-10.40.1.5
 nat (DMZ,outside) static 91.10.11.22
object network obj-10.40.1.3
 nat (DMZ,outside) static 91.10.22.33
!

access-list outside_access_in extended permit tcp any host 10.40.1.3 eq www
access-list outside_access_in extended permit tcp any host 10.40.1.5 eq www
access-list outside_access_in extended permit tcp any host 10.40.1.4 eq www
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39796838
It works but now you have completely natted the external IP with the internal IP instead of just port 80.
0
 

Author Comment

by:Katrach0
ID: 39796861
Henk van Achterberg

"It works but now you have completely natted the external IP with the internal IP instead of just port 80."

I noticed it.
How do I change it?

Thanks.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39796886
object network obj-10.40.1.3
 host 10.40.1.3
object network obj-10.40.1.4
 host 10.40.1.4
object network obj-10.40.1.5
 host 10.40.1.5
 
object network obj-91.10.00.01
 host 91.10.00.01
object network obj-91.10.11.22
 host 91.10.11.22
object network obj-91.10.22.33
 host 91.10.22.33
 object service http
 service tcp destination eq http

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj-10.40.1.3 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static obj-91.10.00.01 obj-10.40.1.4 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static obj-91.10.11.22 obj-10.40.1.5 service http http unidirectional no-proxy-arp

access-list outside_access_in extended permit object http any object obj-10.40.1.3
access-list outside_access_in extended permit object http any object obj-10.40.1.4
access-list outside_access_in extended permit object http any object obj-10.40.1.5
0
 

Author Comment

by:Katrach0
ID: 39797079
When typed this command,
nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj-10.40.1.3 service http http unidirectional no-proxy-arp


 got this error:

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj
-10.40.1.3 service http http unidirectional no-proxy-arp
                                            ^
ERROR: % Invalid input detected at '^' marker.

Any ideas?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39797088
try

 object service NAT-http
 service tcp destination eq http

and

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj
-10.40.1.3 service NAT-http NAT-http unidirectional no-proxy-arp
0
 

Author Comment

by:Katrach0
ID: 39797102
Now I got this:

ERROR: obj doesn't match an existing object or object-group

ASA(config)# $ NAT-http unidirectional no-proxy-arp
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39797108
I think you are going wrong somewhere with the object names. If the one to one nat works you can keep it that way, otherwise you should check if there aren't too much spaces.
0
 

Author Comment

by:Katrach0
ID: 39797137
I'm still trying to figure out NAT.

Why did you mention this? "It works but now you have completely natted the external IP with the internal IP instead of just port 80."
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39797143
when traffic is destined for the public IP address it is translated to the internal IP address.

When you want to open port 443 for example you now only need to make an entry in the access list as the NAT statement is now already present and works for all ports on that IP.
0
 

Author Comment

by:Katrach0
ID: 39797177
I used this:

capture capo type raw-data access-list capo interface outside
ASA# sh cap capo

And it got me this:

331: 10:20:14.658733 MYHOMEIP.34885 > 91.10.22.33.80: S 2255167670:2255167670(0) win 8192 <mss 1260,nop,nop,sackOK>
 332: 50:10:20.491235  MYHOMEIP.39058 > 91.10.22.33.80: S 882175291:882175291(0) win 8192 <mss 1260,nop,nop,sackOK>
 333: 10:20:20.661327 MYHOMEIP.34885 > 91.10.22.33.80: S 2255167670:2255167670(0) win 8192 <mss 1260,nop,nop,sackOK>
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 18 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question