HBS-Mach
asked on
Exposing Multiple Websites behind a Cisco ASA 5540
We have a Cisco ASA 5540 Firewall version 9.1(5), with the SSM-40 IPS Module that we want to be able to securely publish certain internal websites to the Internet.
Currently the ASA has Outlook Web Access published on Port 80/443 on the default external IP, so any traffic to that IP does to OWA
We use Port 90 to publish the VPN Cisco Anyconnect Secure Mobility Client.
I would like additional external websites, as well as OWA and perhaps the Cisco Anyconnect Secure Mobility Client to be able to be published all on Port 80 and 443.
As well as allowing a Java app to be run, communicating to the Java Server internally.
Our Internet link has an address of 1.2.3.4
The ISP has also allocated us a range of external addresses at 5.6.7.144/29
They are routing this range of IPs through the internet link at 1.2.3.4
We want to publish a few websites that are on Servers in our private network to External customers.
I was hoping to get some pointers on how to publish the following sites to external people, all on Port 80 and 443.
The sites will be:
owa.company.com (Outlook Web Access) points to the internal address 10.1.2.92
vpn.company.com (Cisco Anyconnect Secure Mobility Client VPN address) points to the internal address of the ASA 5540 (i presume) 10.1.2.254
citrix.company.com (Citrix Netscaler) points to the internal address 10.1.2.200
portal.company.com (the company website landing portal) points to the internal address 10.1.2.164
This portal will launch a Java App, that uses Ports 2006 and 2010, that points to the internal address 10.1.2.168
Any ideas how to do this?
I can see under the Cisco ASDM 7.3 that there is a section for "Public Servers", so i presume that it is possible.
Our ASA interface names are - where the internal servers are is called SERVER-CORE
The external interface is called OUTSIDE.
Thanking you all.
Currently the ASA has Outlook Web Access published on Port 80/443 on the default external IP, so any traffic to that IP does to OWA
We use Port 90 to publish the VPN Cisco Anyconnect Secure Mobility Client.
I would like additional external websites, as well as OWA and perhaps the Cisco Anyconnect Secure Mobility Client to be able to be published all on Port 80 and 443.
As well as allowing a Java app to be run, communicating to the Java Server internally.
Our Internet link has an address of 1.2.3.4
The ISP has also allocated us a range of external addresses at 5.6.7.144/29
They are routing this range of IPs through the internet link at 1.2.3.4
We want to publish a few websites that are on Servers in our private network to External customers.
I was hoping to get some pointers on how to publish the following sites to external people, all on Port 80 and 443.
The sites will be:
owa.company.com (Outlook Web Access) points to the internal address 10.1.2.92
vpn.company.com (Cisco Anyconnect Secure Mobility Client VPN address) points to the internal address of the ASA 5540 (i presume) 10.1.2.254
citrix.company.com (Citrix Netscaler) points to the internal address 10.1.2.200
portal.company.com (the company website landing portal) points to the internal address 10.1.2.164
This portal will launch a Java App, that uses Ports 2006 and 2010, that points to the internal address 10.1.2.168
Any ideas how to do this?
I can see under the Cisco ASDM 7.3 that there is a section for "Public Servers", so i presume that it is possible.
Our ASA interface names are - where the internal servers are is called SERVER-CORE
The external interface is called OUTSIDE.
Thanking you all.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The Java app would be similar, remember you will need the nat () and access list statements as well.
You can also, instead of using "owa" for your service group, do something like "http_all" and use that on every nat statement that has http & https. Additionally, the tcp_http, tcp_https can be used individually on nat statements (or any other service/network object, it doesn't have to be a grouped object)
You "vpn.company.com" will point to the external facing VPN adapter. It cannot point to the internal adapter as the ASA will not forward it to the internal adapter (mgmt plane and routing plane are different)
You "vpn.company.com" will point to the external facing VPN adapter. It cannot point to the internal adapter as the ASA will not forward it to the internal adapter (mgmt plane and routing plane are different)
ASKER
Thanks Daniel, this solution works (along with your follow up comment).
A 1-to-1 nat for each website is the solution
A 1-to-1 nat for each website is the solution
ASKER
So that should be similar for the Java App?
Just replacing the ports and names
object-group service tcp_java1
service tcp destination 2006
object-group service tcp_java2
service tcp destination 2010
object-group service java
service-object object tcp_java1
service-object object tcp_java2