ASA Firewall and Web Server Help!!!

Hello! Many tanks for the help and really sorry my english. Ok, this is my problem:

In my corporation we have an ASA 5520 and actually is redirecting all the www traffic to an ip located in my DMZ but i need that this traffic are sent to a host in my internal network. I have read too much and tried a lot of configurations but nothing works to me. This is an example of my config:

###################### interface GigabitEthernet0/0 nameif outside security-level 0 ip address 200.23.158.12 255.255.255.240 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.10.0.1 255.255.255.0 ! interface GigabitEthernet0/2 nameif dmz security-level 50 ip address 172.16.172.1 255.255.255.0 ! ##########This is the ACL i used################# ... access-list outside_access_in extended permit tcp any host 10.10.13.83 eq www ... ###################10.10.13.83 is the host were apache is installed i need this as web server############## ... static (inside,outside) tcp 200.23.158.12 www 10.10.13.83 www netmask

255.255.255.255 ... #####Here is where i assign the acl to the outside int########## access-group outside_access_in in interface outside

Well this is my config in the ASA i tried a lot of more configs but doesn't works. I changed the port of the ACLs, Apache and NAT to 10800 for example and neither works. I need more than 1 web server in my domain can anyone explain me how, please?

Many many thanks for your help.

Reply to
david_monterde
Loading thread data ...

Did you also remove the static entry and ACL for when the webserver was in your DMZ?

Can you post more of your config to see if anything is overlapping?

Reply to
Artie Lange

I believe you have to use the NAT'd IP in the ACL as the ACL is processed first. e.g.

access-list outside_access_in extended permit tcp any host

200.23.158.12 eq www

Another possible issue is your apparent use of the interface IP - we have found that using the IP rather than the interface in the static command can prevent it working, though I'm not sure if this was an OS bug. The syntax for that would be something like:

static (inside,outside) tcp interface www 10.10.13.83 www netmask

255.255.255.255

See the following for an example (which uses RDP, but the concept is similar):

formatting link
I generally find using the ASDM logging feature very useful for problems like this. And to echo the previous poster, posting a fuller config (minus logins, etc as appropriate) here may help if the above tips don't.

As a general point - you can only forward tcp/80 on the outside IP to one internal device, so any additional web servers would have to run on non-standard ports, or you have to get more public IPs to use.

Regards,

Al

Reply to
Al

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.