Scott Milner
asked on
I'm looking for help routing external traffic to an internal web server using an ASA 5505
Hello Experts!
I only have rudimentary knowledge of Cisco ASAs, so my expectation is that I have a simple task that's being complicated by my lack of experience.
We have an in-house ERP system that contains an employee access portal. The portal runs on an IIS 7 instance on a dedicated internal Windows server. I have the portal set up, and can access it internally from a browser via http://ServerName:5058/sites/portalsite. The site uses Windows Authentication (active directory) for access.
This has served us well, but now a request has come down to make this site accessible to our remote sales force. They do not wish to use their VPNs to access the site, so I will need to make it accessible from the outside world. From my reading, my ultimate configuration will utilize a forward-facing web server and a RODC on a DMZ, which, after authentication, pass the requests in to our internal portal server.
Unfortunately, I don't have the funding allocated in this year's budget for the additional server licensing. I can request it, but before I do so, my manager wants a 'proof of concept'. They will have the sales team test accessing the site remotely, and if things go well, I will 'redo' the solution the 'correct' way.
So... this leads me to my question. I understand that this won't be a solution that any security-minded network admin would sign off on, but can someone assist me in setting up rules in my current ASA 5505 to route external requests to an IP to the internal web server's portal site?
I have a dedicated IP address for the site (we have a block of 16 IPs). I've been reading up on NATing traffic with the ASA, but I'm either doing the rule wrong, or I'm misunderstanding the concept.
Thanks!
sm
I only have rudimentary knowledge of Cisco ASAs, so my expectation is that I have a simple task that's being complicated by my lack of experience.
We have an in-house ERP system that contains an employee access portal. The portal runs on an IIS 7 instance on a dedicated internal Windows server. I have the portal set up, and can access it internally from a browser via http://ServerName:5058/sites/portalsite. The site uses Windows Authentication (active directory) for access.
This has served us well, but now a request has come down to make this site accessible to our remote sales force. They do not wish to use their VPNs to access the site, so I will need to make it accessible from the outside world. From my reading, my ultimate configuration will utilize a forward-facing web server and a RODC on a DMZ, which, after authentication, pass the requests in to our internal portal server.
Unfortunately, I don't have the funding allocated in this year's budget for the additional server licensing. I can request it, but before I do so, my manager wants a 'proof of concept'. They will have the sales team test accessing the site remotely, and if things go well, I will 'redo' the solution the 'correct' way.
So... this leads me to my question. I understand that this won't be a solution that any security-minded network admin would sign off on, but can someone assist me in setting up rules in my current ASA 5505 to route external requests to an IP to the internal web server's portal site?
I have a dedicated IP address for the site (we have a block of 16 IPs). I've been reading up on NATing traffic with the ASA, but I'm either doing the rule wrong, or I'm misunderstanding the concept.
Thanks!
sm
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Jan Springer, thanks for the comment, and the dns advice!
ASKER
@max_the_king, thanks for the response.
I understand what you are saying regarding the AD authentication from outside. I was originally trying to cobble this together, and was thinking that i could route port 636 traffic (SSL AD authentication uses TCP 636) in to the web server to get around this problem. However, I've talked myself out of this... just too risky from a security standpoint.
I understand what you are saying regarding the AD authentication from outside. I was originally trying to cobble this together, and was thinking that i could route port 636 traffic (SSL AD authentication uses TCP 636) in to the web server to get around this problem. However, I've talked myself out of this... just too risky from a security standpoint.
ASKER
Thank you all for your responses.
After doing some more research, and considering your input, I'm going to 'dig my heels in' here a bit and not even attempt to do this without the necessary front-end servers and a DMZ. There just seems to be too many critical systems that could be potentially compromised by trying to 'rig' up a solution to save a few bucks.
I'll split the points between the three of you, with Max getting the 'best' solution for helping bring me to my senses!
Scott
After doing some more research, and considering your input, I'm going to 'dig my heels in' here a bit and not even attempt to do this without the necessary front-end servers and a DMZ. There just seems to be too many critical systems that could be potentially compromised by trying to 'rig' up a solution to save a few bucks.
I'll split the points between the three of you, with Max getting the 'best' solution for helping bring me to my senses!
Scott
ASKER