I'm looking for help routing external traffic to an internal web server using an ASA 5505

Posted on 2016-08-30
Last Modified: 2016-09-02
Hello Experts!

I only have rudimentary knowledge of Cisco ASAs, so my expectation is that I have a simple task that's being complicated by my lack of experience.

We have an in-house ERP system that contains an employee access portal.  The portal runs on an IIS 7 instance on a dedicated internal Windows server.  I have the portal set up, and can access it internally from a browser via http://ServerName:5058/sites/portalsite.  The site uses Windows Authentication (active directory) for access.

This has served us well, but now a request has come down to make this site accessible to our remote sales force.  They do not wish to use their VPNs to access the site, so I will need to make it accessible from the outside world.  From my reading, my ultimate configuration will utilize a forward-facing web server and a RODC on a DMZ, which, after authentication, pass the requests in to our internal portal server.

Unfortunately, I don't have the funding allocated in this year's budget for the additional server licensing.  I can request it, but before I do so, my manager wants a 'proof of concept'.  They will have the sales team test accessing the site remotely, and if things go well, I will 'redo' the solution the 'correct' way.

So... this leads me to my question.  I understand that this won't be a solution that any security-minded network admin would sign off on, but can someone assist me in setting up rules in my current ASA 5505 to route external requests to an IP to the internal web server's portal site?

I have a dedicated IP address for the site (we have a block of 16 IPs).  I've been reading up on NATing traffic with the ASA, but I'm either doing the rule wrong, or I'm misunderstanding the concept.


Question by:Scott Milner
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 125 total points
ID: 41777498
add another NIC on the Web Server and here the settings are outside connected to Ethernet0/0, inside connected to Ethernet0/1 and the DMZ connected to Ethernet0/2).. from cisco examples

Graphical Examples
ASA Version 9.1(1)
interface Ethernet0/0
 description Connected to Outside Segment
 switchport access vlan 2
interface Ethernet0/1
 description Connected to Inside Segment
 switchport access vlan 1
interface Ethernet0/2
 description Connected to DMZ Segment
 switchport access vlan 3
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan3
 nameif dmz
 security-level 50
 ip address
object network inside-subnet
object network dmz-subnet
object network webserver
object network webserver-external-ip
object network dns-server

access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
object network inside-subnet
 nat (inside,outside) dynamic interface
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network webserver
 nat (dmz,outside) static webserver-external-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
route outside 1

Open in new window

LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 125 total points
ID: 41777671
Exactly what David said except that consider:

1) you may not be able to re-IP that host and it (unfortunately) has to sit behind the inside interface

2) you will want to add the keyword "dns" to the end of the nat statement for that server so that you can reach it via host name instead of IP when behind the firewall.
LVL 16

Accepted Solution

max_the_king earned 250 total points
ID: 41777780
Hi smilner,
it seems you want to make portal server accessible from outside: you need to nat your private ip on a public ip from your public range, as easy as this.
Your problem here is that the authentication goes through Active Directory along with its (internal) DNS and I'm afraid you won't be able to have your users authenticate from outside, unless you already have the necessary front-end infrastructure.
So if you want to have your users access from outside, without buying another server and change authentication infrastructure accordingly, you really should use VPN: this way your user will connect through VPN, authenticate on a Radius server, and work just as they were into your LAN building.

hope this helps
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

by:Scott Milner
ID: 41781899
@David Johnson ... thanks for the code, and the idea to add a second nic with the external IP address to the webserver.  I hadn't thought of doing it that way--I thought I'd be NATing traffic bound to the external IP address on a specific port to the internal IP address of the web server.  This would certainly be simpler.

Author Comment

by:Scott Milner
ID: 41781901
@Jan Springer, thanks for the comment, and the dns advice!

Author Comment

by:Scott Milner
ID: 41781904
@max_the_king, thanks for the response.

I understand what you are saying regarding the AD authentication from outside.  I was originally trying to cobble this together, and was thinking that i could route port 636 traffic (SSL AD authentication uses TCP 636) in to the web server to get around this problem.  However, I've talked myself out of this... just too risky from a security standpoint.

Author Comment

by:Scott Milner
ID: 41781910
Thank you all for your responses.

After doing some more research, and considering your input, I'm going to 'dig my heels in' here a bit and not even attempt to do this without the necessary front-end servers and a DMZ.  There just seems to be too many critical systems that could be potentially compromised by trying to 'rig' up a solution to save a few bucks.

I'll split the points between the three of you, with Max getting the 'best' solution for helping bring me to my senses!  


Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month10 days, 20 hours left to enroll

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question