Solved

Configure DMZ for port 80

Posted on 2014-01-17
15
1,155 Views
Last Modified: 2014-01-21
Hello Pros,

I have this question.

I have created a DMZ that needs port 80 open, how can I do this?

I have a Cisco Firewall 5515x
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)
0
Comment
Question by:Katrach0
  • 7
  • 7
15 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
I suggest you update to 9.1.4 and asdm 7.1.5-100.

Secondly from where do you need to be port 80 open. Do you have a spare external IP address or do you need to forward port 80 of the interface ip?

The config will be something like this:

object network dmz-server
 host 192.168.25.1
object service http
 service tcp destination eq http


nat (outside,dmz) source static any any destination static interface dmz-server service http http unidirectional no-proxy-arp

access-list dmz_access_in extended permit object http any object dmz-server
access-group dmz_access_in in interface dmz

Open in new window

0
 

Author Comment

by:Katrach0
Comment Utility
Hello.

There's no way I can upgrade the IOS, it's in production. (I don't want to take any risks) I'd like to do it with what I have.

I have spare IP's I have 2 devices for that DMZ.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
Comment Utility
You can use this then:

object network dmz-server-1
 host 192.168.25.1
object network dmz-server-2
 host 192.168.25.2
object network wan-IP-1
 host 1.1.1.1
object network wan-IP-2
 host 1.1.1.2
object service http
 service tcp destination eq http

nat (outside,dmz) source static any any destination static wan-IP-1 dmz-server-1 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static wan-IP-2 dmz-server-2 service http http unidirectional no-proxy-arp

access-list dmz_access_in extended permit object http any object dmz-server-1
access-list dmz_access_in extended permit object http any object dmz-server-2
access-group dmz_access_in in interface dmz

Open in new window

0
 
LVL 5

Expert Comment

by:Feroz Ahmed
Comment Utility
Hi,

You try this configuration on your ASA firewall as below :

ASA(Config-t)#access-list 101 in interface dmz
ASA(Config-t)#access-list 101in interface ip any any port 80

this will open port 80 on dmz server.
0
 

Author Closing Comment

by:Katrach0
Comment Utility
It worked with this command...

This is how it looks on the fwall.
ASA# sh run nat
object network obj-10.40.1.4
 nat (DMZ,outside) static 91.10.00.01
object network obj-10.40.1.5
 nat (DMZ,outside) static 91.10.11.22
object network obj-10.40.1.3
 nat (DMZ,outside) static 91.10.22.33
!

access-list outside_access_in extended permit tcp any host 10.40.1.3 eq www
access-list outside_access_in extended permit tcp any host 10.40.1.5 eq www
access-list outside_access_in extended permit tcp any host 10.40.1.4 eq www
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
It works but now you have completely natted the external IP with the internal IP instead of just port 80.
0
 

Author Comment

by:Katrach0
Comment Utility
Henk van Achterberg

"It works but now you have completely natted the external IP with the internal IP instead of just port 80."

I noticed it.
How do I change it?

Thanks.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
object network obj-10.40.1.3
 host 10.40.1.3
object network obj-10.40.1.4
 host 10.40.1.4
object network obj-10.40.1.5
 host 10.40.1.5
 
object network obj-91.10.00.01
 host 91.10.00.01
object network obj-91.10.11.22
 host 91.10.11.22
object network obj-91.10.22.33
 host 91.10.22.33
 object service http
 service tcp destination eq http

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj-10.40.1.3 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static obj-91.10.00.01 obj-10.40.1.4 service http http unidirectional no-proxy-arp
nat (outside,dmz) source static any any destination static obj-91.10.11.22 obj-10.40.1.5 service http http unidirectional no-proxy-arp

access-list outside_access_in extended permit object http any object obj-10.40.1.3
access-list outside_access_in extended permit object http any object obj-10.40.1.4
access-list outside_access_in extended permit object http any object obj-10.40.1.5
0
 

Author Comment

by:Katrach0
Comment Utility
When typed this command,
nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj-10.40.1.3 service http http unidirectional no-proxy-arp


 got this error:

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj
-10.40.1.3 service http http unidirectional no-proxy-arp
                                            ^
ERROR: % Invalid input detected at '^' marker.

Any ideas?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
try

 object service NAT-http
 service tcp destination eq http

and

nat (outside,dmz) source static any any destination static obj-91.10.22.33 obj
-10.40.1.3 service NAT-http NAT-http unidirectional no-proxy-arp
0
 

Author Comment

by:Katrach0
Comment Utility
Now I got this:

ERROR: obj doesn't match an existing object or object-group

ASA(config)# $ NAT-http unidirectional no-proxy-arp
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
I think you are going wrong somewhere with the object names. If the one to one nat works you can keep it that way, otherwise you should check if there aren't too much spaces.
0
 

Author Comment

by:Katrach0
Comment Utility
I'm still trying to figure out NAT.

Why did you mention this? "It works but now you have completely natted the external IP with the internal IP instead of just port 80."
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
when traffic is destined for the public IP address it is translated to the internal IP address.

When you want to open port 443 for example you now only need to make an entry in the access list as the NAT statement is now already present and works for all ports on that IP.
0
 

Author Comment

by:Katrach0
Comment Utility
I used this:

capture capo type raw-data access-list capo interface outside
ASA# sh cap capo

And it got me this:

331: 10:20:14.658733 MYHOMEIP.34885 > 91.10.22.33.80: S 2255167670:2255167670(0) win 8192 <mss 1260,nop,nop,sackOK>
 332: 50:10:20.491235  MYHOMEIP.39058 > 91.10.22.33.80: S 882175291:882175291(0) win 8192 <mss 1260,nop,nop,sackOK>
 333: 10:20:20.661327 MYHOMEIP.34885 > 91.10.22.33.80: S 2255167670:2255167670(0) win 8192 <mss 1260,nop,nop,sackOK>
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now