Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


ASA Firewall Access Rule for Web Servers

Posted on 2014-12-24
Medium Priority
Last Modified: 2015-11-07
In ASA 5520 I have configured an Access Rule so that outside client can reach the Webserver in the DMZ. It worked with no problem. However , so far I have only one Webserver in the DMZ and the access rule is permitting from outside to the destination (Webserver object) which has an IP address
In real world there should be redundant Webservers in the DMZ, so that they can "Load Balance" the load.
I wonder if I need to create separate Access Rule for each Webserver or there is a simpler way to do it ?

Any help will be very much appreciated.

Thank you

Question by:jskfan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 1000 total points
ID: 40516905
The firewall is not a load balancer, if you want load balancing buy a load balancer?

You would need to set each web server with its own public IP address then you could load balance using DNS round robin.

Or if you are using  server 2012 - you could reverse proxy and use NLB.


Author Comment

ID: 40517004
I am not saying I need to Load balance with Firewall.

Usually companies do not use just one web server in the DMZ. They use a bunch of them and I believe in DNS they create CNAME so that all webservers will have the same name but different IP addresses...

Well... the way I configured ASA in the LAB, was not complicated because I just allowed HTTP from outside to go to that single webserver IP address. in the case when there are several webservers, how do you change the access rules so that it will apply to all webservers in the DMZ?
hope the Question is clear now..
LVL 50

Accepted Solution

Don Johnston earned 1000 total points
ID: 40517044
Usually companies do not use just one web server in the DMZ. They use a bunch of them and I believe in DNS they create CNAME so that all webservers will have the same name but different IP addresses...
I believe that what you're referring to is "content switching".

Author Comment

ID: 40517689

in your comment above you mentioned Load Balancer, I believe that would work if you put it in the DMZ (Of course), that way you Load balance between WebServers, and the WebServers will have a common Virtual IP address.
I believe that Virtual IP address is the IP address that will be used in ASA Firewall Access Rule. It makes more sense to me this way.

Author Closing Comment

ID: 41205064
Thank you

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question