Go Premium for a chance to win a PS4. Enter to Win


I'm looking for help routing external traffic to an internal web server using an ASA 5505

Posted on 2016-08-30
Medium Priority
Last Modified: 2016-09-02
Hello Experts!

I only have rudimentary knowledge of Cisco ASAs, so my expectation is that I have a simple task that's being complicated by my lack of experience.

We have an in-house ERP system that contains an employee access portal.  The portal runs on an IIS 7 instance on a dedicated internal Windows server.  I have the portal set up, and can access it internally from a browser via http://ServerName:5058/sites/portalsite.  The site uses Windows Authentication (active directory) for access.

This has served us well, but now a request has come down to make this site accessible to our remote sales force.  They do not wish to use their VPNs to access the site, so I will need to make it accessible from the outside world.  From my reading, my ultimate configuration will utilize a forward-facing web server and a RODC on a DMZ, which, after authentication, pass the requests in to our internal portal server.

Unfortunately, I don't have the funding allocated in this year's budget for the additional server licensing.  I can request it, but before I do so, my manager wants a 'proof of concept'.  They will have the sales team test accessing the site remotely, and if things go well, I will 'redo' the solution the 'correct' way.

So... this leads me to my question.  I understand that this won't be a solution that any security-minded network admin would sign off on, but can someone assist me in setting up rules in my current ASA 5505 to route external requests to an IP to the internal web server's portal site?

I have a dedicated IP address for the site (we have a block of 16 IPs).  I've been reading up on NATing traffic with the ASA, but I'm either doing the rule wrong, or I'm misunderstanding the concept.


Question by:Scott Milner
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 500 total points
ID: 41777498
add another NIC on the Web Server and here the settings are outside connected to Ethernet0/0, inside connected to Ethernet0/1 and the DMZ connected to Ethernet0/2).. from cisco examples

Graphical Examples
ASA Version 9.1(1)
interface Ethernet0/0
 description Connected to Outside Segment
 switchport access vlan 2
interface Ethernet0/1
 description Connected to Inside Segment
 switchport access vlan 1
interface Ethernet0/2
 description Connected to DMZ Segment
 switchport access vlan 3
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan3
 nameif dmz
 security-level 50
 ip address
object network inside-subnet
object network dmz-subnet
object network webserver
object network webserver-external-ip
object network dns-server

access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
object network inside-subnet
 nat (inside,outside) dynamic interface
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network webserver
 nat (dmz,outside) static webserver-external-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
route outside 1

Open in new window

LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 500 total points
ID: 41777671
Exactly what David said except that consider:

1) you may not be able to re-IP that host and it (unfortunately) has to sit behind the inside interface

2) you will want to add the keyword "dns" to the end of the nat statement for that server so that you can reach it via host name instead of IP when behind the firewall.
LVL 17

Accepted Solution

max_the_king earned 1000 total points
ID: 41777780
Hi smilner,
it seems you want to make portal server accessible from outside: you need to nat your private ip on a public ip from your public range, as easy as this.
Your problem here is that the authentication goes through Active Directory along with its (internal) DNS and I'm afraid you won't be able to have your users authenticate from outside, unless you already have the necessary front-end infrastructure.
So if you want to have your users access from outside, without buying another server and change authentication infrastructure accordingly, you really should use VPN: this way your user will connect through VPN, authenticate on a Radius server, and work just as they were into your LAN building.

hope this helps
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks


Author Comment

by:Scott Milner
ID: 41781899
@David Johnson ... thanks for the code, and the idea to add a second nic with the external IP address to the webserver.  I hadn't thought of doing it that way--I thought I'd be NATing traffic bound to the external IP address on a specific port to the internal IP address of the web server.  This would certainly be simpler.

Author Comment

by:Scott Milner
ID: 41781901
@Jan Springer, thanks for the comment, and the dns advice!

Author Comment

by:Scott Milner
ID: 41781904
@max_the_king, thanks for the response.

I understand what you are saying regarding the AD authentication from outside.  I was originally trying to cobble this together, and was thinking that i could route port 636 traffic (SSL AD authentication uses TCP 636) in to the web server to get around this problem.  However, I've talked myself out of this... just too risky from a security standpoint.

Author Comment

by:Scott Milner
ID: 41781910
Thank you all for your responses.

After doing some more research, and considering your input, I'm going to 'dig my heels in' here a bit and not even attempt to do this without the necessary front-end servers and a DMZ.  There just seems to be too many critical systems that could be potentially compromised by trying to 'rig' up a solution to save a few bucks.

I'll split the points between the three of you, with Max getting the 'best' solution for helping bring me to my senses!  


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question