I set an Cisco ASA5505 to expose the home Web server on the Internet.
Prerequisite
- ASA5505 OS Ver.9.2(3)
- ASA5505 is used to Internet Connecting Router
- Internet connection is by PPPoE(Dynamic IP)
- Security Level outside:0 management(=inside):100
- in<-->out traffic is filtered by Security Level
Security point of view once excluded
Additional Configuration
I add configuration for publish a web server to ASA5505 that is configured the internet NAPT.
NAT Setting
Convert the acquired outside interface addressed that is set by PPPoE.
| Location | Source Address | Source Port | Destination Address | Destination Port |
|---|---|---|---|---|
| Internet | Any(internet address) | Any | PPPoE Address | 9980 *1 |
| Home | Any(no change) | Any(no change) | Web Server Address | 80 |
*1 Change port from 80 to 9980 for Security Protection
ASA config
object network Web-01 host 192.168.1.60 object service OpenWeb service tcp destination eq 9980 object service Web service tcp destination eq www nat (outside,management) source static any any destination static interface Web-01 service OpenWeb Web
FW Setting
Permit the traffic of HTTP. In this case, it is necessary to set permit AFTER DestNAT Port.
access-list Web extended permit tcp any any eq www access-group Web in interface outside
Trouble Shooting
By simply setting adds it can not expected behavior, and trial and error. A result, it seems there is a NAT setting order problem.
NAT setting, Static NAT rule has to be set before Internet NAPT. If not, it can not expected behavior.
nat (outside,management) source static any any destination static interface Web-01 service OpenWeb Web nat (management,outside) source static any interface
Seen in ASDM is below
Conclusion
I succeed to publish a home Web server to the Internet with ASA5505.
