Avatar of HBS-Mach
Flag for Solomon Islands asked on

Exposing Multiple Websites behind a Cisco ASA 5540

We have a Cisco ASA 5540 Firewall version 9.1(5), with the SSM-40 IPS Module that we want to be able to securely publish certain internal websites to the Internet.
Currently the ASA has Outlook Web Access published on Port 80/443 on the default external IP, so any traffic to that IP does to OWA
We use Port 90 to publish the VPN Cisco Anyconnect Secure Mobility Client.

I would like additional external websites, as well as OWA and perhaps the Cisco Anyconnect Secure Mobility Client to be able to be published all on Port 80 and 443.
As well as allowing a Java app to be run, communicating to the Java Server internally.

Our Internet link has an address of
The ISP has also allocated us a range of external addresses at
They are routing this range of IPs through the internet link at

We want to publish a few websites that are on Servers in our private network to External customers.

I was hoping to get some pointers on how to publish the following sites to external people, all on Port 80 and 443.
The sites will be:

owa.company.com (Outlook Web Access) points to the internal address

vpn.company.com (Cisco Anyconnect Secure Mobility Client VPN address) points to the internal address of the ASA 5540 (i presume)

citrix.company.com (Citrix Netscaler) points to the internal address

portal.company.com (the company website landing portal) points to the internal address
This portal will launch a Java App, that uses Ports 2006 and 2010, that points to the internal address

Any ideas how to do this?
I can see under the Cisco ASDM 7.3 that there is a section for "Public Servers", so i presume that it is possible.

Our ASA interface  names are - where the internal servers are is called SERVER-CORE
The external interface is called OUTSIDE.

Thanking you all.
Internet ProtocolsCiscoHardware FirewallsNetScaler

Avatar of undefined
Last Comment

8/22/2022 - Mon
Daniel Sheppard

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Thanks Daniel.
So that should be similar for the Java App?
Just replacing the ports and names

object-group service tcp_java1
  service tcp destination 2006
object-group service tcp_java2
  service tcp destination 2010
object-group service java
  service-object object tcp_java1
  service-object object tcp_java2
Daniel Sheppard

The Java app would be similar, remember you will need the nat () and access list statements as well.
Daniel Sheppard

You can also, instead of using "owa" for your service group, do something like "http_all" and use that on every nat statement that has http & https.  Additionally, the tcp_http, tcp_https can be used individually on nat statements (or any other service/network object, it doesn't have to be a grouped object)

You "vpn.company.com" will point to the external facing VPN adapter.  It cannot point to the internal adapter as the ASA will not forward it to the internal adapter (mgmt plane and routing plane are different)
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

Thanks Daniel, this solution works (along with your follow up comment).
A 1-to-1 nat for each website is the solution