Exposing Multiple Websites behind a Cisco ASA 5540

We have a Cisco ASA 5540 Firewall version 9.1(5), with the SSM-40 IPS Module that we want to be able to securely publish certain internal websites to the Internet.
Currently the ASA has Outlook Web Access published on Port 80/443 on the default external IP, so any traffic to that IP does to OWA
We use Port 90 to publish the VPN Cisco Anyconnect Secure Mobility Client.

I would like additional external websites, as well as OWA and perhaps the Cisco Anyconnect Secure Mobility Client to be able to be published all on Port 80 and 443.
As well as allowing a Java app to be run, communicating to the Java Server internally.

Our Internet link has an address of
The ISP has also allocated us a range of external addresses at
They are routing this range of IPs through the internet link at

We want to publish a few websites that are on Servers in our private network to External customers.

I was hoping to get some pointers on how to publish the following sites to external people, all on Port 80 and 443.
The sites will be:

owa.company.com (Outlook Web Access) points to the internal address

vpn.company.com (Cisco Anyconnect Secure Mobility Client VPN address) points to the internal address of the ASA 5540 (i presume)

citrix.company.com (Citrix Netscaler) points to the internal address

portal.company.com (the company website landing portal) points to the internal address
This portal will launch a Java App, that uses Ports 2006 and 2010, that points to the internal address

Any ideas how to do this?
I can see under the Cisco ASDM 7.3 that there is a section for "Public Servers", so i presume that it is possible.

Our ASA interface  names are - where the internal servers are is called SERVER-CORE
The external interface is called OUTSIDE.

Thanking you all.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
You will need to perform a 1-to-1 nat for each website.

Should be similar to this (for OWA):

object-group network external-owa
object-group network internal-owa

object-group service tcp_http
  service tcp destination 80
object-group service tcp_https
  service tcp destination 443
object-group service owa
  service-object object tcp_http
  service-object object tcp_https

nat (OUTSIDE,SERVER-CORE) source static any any destination static external-owa internal-owa service owa owa unidirectional
access-list OUTSIDE_access_in extended permit object owa any object-group internal-owa log disable

Open in new window

(The format or nat is: nat (outside,inside) source static <source-original> <source-translation> destination static <destination-original> <destination-original> service <service-original> <service-translated> unidirectional

Now, all this being said, if you load up the ASDM, insert this as a 'NAT Rule Before "Network Objects"' and follow the boxes, as well as insert a "Access List" entry for the firewall doing the same, it is pretty dead simple.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HBS-MachAuthor Commented:
Thanks Daniel.
So that should be similar for the Java App?
Just replacing the ports and names

object-group service tcp_java1
  service tcp destination 2006
object-group service tcp_java2
  service tcp destination 2010
object-group service java
  service-object object tcp_java1
  service-object object tcp_java2
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
The Java app would be similar, remember you will need the nat () and access list statements as well.
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
You can also, instead of using "owa" for your service group, do something like "http_all" and use that on every nat statement that has http & https.  Additionally, the tcp_http, tcp_https can be used individually on nat statements (or any other service/network object, it doesn't have to be a grouped object)

You "vpn.company.com" will point to the external facing VPN adapter.  It cannot point to the internal adapter as the ASA will not forward it to the internal adapter (mgmt plane and routing plane are different)
HBS-MachAuthor Commented:
Thanks Daniel, this solution works (along with your follow up comment).
A 1-to-1 nat for each website is the solution
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.