Solved

I'm looking for help routing external traffic to an internal web server using an ASA 5505

Posted on 2016-08-30
7
42 Views
Last Modified: 2016-09-02
Hello Experts!

I only have rudimentary knowledge of Cisco ASAs, so my expectation is that I have a simple task that's being complicated by my lack of experience.

We have an in-house ERP system that contains an employee access portal.  The portal runs on an IIS 7 instance on a dedicated internal Windows server.  I have the portal set up, and can access it internally from a browser via http://ServerName:5058/sites/portalsite.  The site uses Windows Authentication (active directory) for access.

This has served us well, but now a request has come down to make this site accessible to our remote sales force.  They do not wish to use their VPNs to access the site, so I will need to make it accessible from the outside world.  From my reading, my ultimate configuration will utilize a forward-facing web server and a RODC on a DMZ, which, after authentication, pass the requests in to our internal portal server.

Unfortunately, I don't have the funding allocated in this year's budget for the additional server licensing.  I can request it, but before I do so, my manager wants a 'proof of concept'.  They will have the sales team test accessing the site remotely, and if things go well, I will 'redo' the solution the 'correct' way.

So... this leads me to my question.  I understand that this won't be a solution that any security-minded network admin would sign off on, but can someone assist me in setting up rules in my current ASA 5505 to route external requests to an IP to the internal web server's portal site?

I have a dedicated IP address for the site (we have a block of 16 IPs).  I've been reading up on NATing traffic with the ASA, but I'm either doing the rule wrong, or I'm misunderstanding the concept.

Thanks!

sm
0
Comment
Question by:smilner71
7 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 125 total points
Comment Utility
add another NIC on the Web Server and here the settings are outside connected to Ethernet0/0, inside connected to Ethernet0/1 and the DMZ connected to Ethernet0/2).. from cisco examples

Graphical Examples
ASA Version 9.1(1)
!
interface Ethernet0/0
 description Connected to Outside Segment
 switchport access vlan 2
!
interface Ethernet0/1
 description Connected to Inside Segment
 switchport access vlan 1
!
interface Ethernet0/2
 description Connected to DMZ Segment
 switchport access vlan 3
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 198.51.100.100 255.255.255.0
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
 subnet 192.168.1.0 255.255.255.0
object network webserver
 host 192.168.1.100
object network webserver-external-ip
 host 198.51.100.101
object network dns-server
 host 192.168.0.53



!
access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
object network inside-subnet
 nat (inside,outside) dynamic interface
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network webserver
 nat (dmz,outside) static webserver-external-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
!
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1

Open in new window

0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 125 total points
Comment Utility
Exactly what David said except that consider:

1) you may not be able to re-IP that host and it (unfortunately) has to sit behind the inside interface

2) you will want to add the keyword "dns" to the end of the nat statement for that server so that you can reach it via host name instead of IP when behind the firewall.
0
 
LVL 15

Accepted Solution

by:
max_the_king earned 250 total points
Comment Utility
Hi smilner,
it seems you want to make portal server accessible from outside: you need to nat your private ip on a public ip from your public range, as easy as this.
Your problem here is that the authentication goes through Active Directory along with its (internal) DNS and I'm afraid you won't be able to have your users authenticate from outside, unless you already have the necessary front-end infrastructure.
So if you want to have your users access from outside, without buying another server and change authentication infrastructure accordingly, you really should use VPN: this way your user will connect through VPN, authenticate on a Radius server, and work just as they were into your LAN building.

hope this helps
max
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:smilner71
Comment Utility
@David Johnson ... thanks for the code, and the idea to add a second nic with the external IP address to the webserver.  I hadn't thought of doing it that way--I thought I'd be NATing traffic bound to the external IP address on a specific port to the internal IP address of the web server.  This would certainly be simpler.
0
 

Author Comment

by:smilner71
Comment Utility
@Jan Springer, thanks for the comment, and the dns advice!
0
 

Author Comment

by:smilner71
Comment Utility
@max_the_king, thanks for the response.

I understand what you are saying regarding the AD authentication from outside.  I was originally trying to cobble this together, and was thinking that i could route port 636 traffic (SSL AD authentication uses TCP 636) in to the web server to get around this problem.  However, I've talked myself out of this... just too risky from a security standpoint.
0
 

Author Comment

by:smilner71
Comment Utility
Thank you all for your responses.

After doing some more research, and considering your input, I'm going to 'dig my heels in' here a bit and not even attempt to do this without the necessary front-end servers and a DMZ.  There just seems to be too many critical systems that could be potentially compromised by trying to 'rig' up a solution to save a few bucks.

I'll split the points between the three of you, with Max getting the 'best' solution for helping bring me to my senses!  

Scott
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now