• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 433
  • Last Modified:

Exposing Multiple Websites behind a Cisco ASA 5540

We have a Cisco ASA 5540 Firewall version 9.1(5), with the SSM-40 IPS Module that we want to be able to securely publish certain internal websites to the Internet.
Currently the ASA has Outlook Web Access published on Port 80/443 on the default external IP, so any traffic to that IP does to OWA
We use Port 90 to publish the VPN Cisco Anyconnect Secure Mobility Client.

I would like additional external websites, as well as OWA and perhaps the Cisco Anyconnect Secure Mobility Client to be able to be published all on Port 80 and 443.
As well as allowing a Java app to be run, communicating to the Java Server internally.

Our Internet link has an address of
The ISP has also allocated us a range of external addresses at
They are routing this range of IPs through the internet link at

We want to publish a few websites that are on Servers in our private network to External customers.

I was hoping to get some pointers on how to publish the following sites to external people, all on Port 80 and 443.
The sites will be:

owa.company.com (Outlook Web Access) points to the internal address

vpn.company.com (Cisco Anyconnect Secure Mobility Client VPN address) points to the internal address of the ASA 5540 (i presume)

citrix.company.com (Citrix Netscaler) points to the internal address

portal.company.com (the company website landing portal) points to the internal address
This portal will launch a Java App, that uses Ports 2006 and 2010, that points to the internal address

Any ideas how to do this?
I can see under the Cisco ASDM 7.3 that there is a section for "Public Servers", so i presume that it is possible.

Our ASA interface  names are - where the internal servers are is called SERVER-CORE
The external interface is called OUTSIDE.

Thanking you all.
  • 3
  • 2
1 Solution
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
You will need to perform a 1-to-1 nat for each website.

Should be similar to this (for OWA):

object-group network external-owa
object-group network internal-owa

object-group service tcp_http
  service tcp destination 80
object-group service tcp_https
  service tcp destination 443
object-group service owa
  service-object object tcp_http
  service-object object tcp_https

nat (OUTSIDE,SERVER-CORE) source static any any destination static external-owa internal-owa service owa owa unidirectional
access-list OUTSIDE_access_in extended permit object owa any object-group internal-owa log disable

Open in new window

(The format or nat is: nat (outside,inside) source static <source-original> <source-translation> destination static <destination-original> <destination-original> service <service-original> <service-translated> unidirectional

Now, all this being said, if you load up the ASDM, insert this as a 'NAT Rule Before "Network Objects"' and follow the boxes, as well as insert a "Access List" entry for the firewall doing the same, it is pretty dead simple.
HBS-MachAuthor Commented:
Thanks Daniel.
So that should be similar for the Java App?
Just replacing the ports and names

object-group service tcp_java1
  service tcp destination 2006
object-group service tcp_java2
  service tcp destination 2010
object-group service java
  service-object object tcp_java1
  service-object object tcp_java2
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
The Java app would be similar, remember you will need the nat () and access list statements as well.
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
You can also, instead of using "owa" for your service group, do something like "http_all" and use that on every nat statement that has http & https.  Additionally, the tcp_http, tcp_https can be used individually on nat statements (or any other service/network object, it doesn't have to be a grouped object)

You "vpn.company.com" will point to the external facing VPN adapter.  It cannot point to the internal adapter as the ASA will not forward it to the internal adapter (mgmt plane and routing plane are different)
HBS-MachAuthor Commented:
Thanks Daniel, this solution works (along with your follow up comment).
A 1-to-1 nat for each website is the solution
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now