designetwork(EN)

IT technical memo of networking

Publish a home Web server to the Internet with ASA5505

I set an Cisco ASA5505 to expose the home Web server on the Internet.

Prerequisite

  • ASA5505 OS Ver.9.2(3)
  • ASA5505 is used to Internet Connecting Router
  • Internet connection is by PPPoE(Dynamic IP)
  • Security Level outside:0 management(=inside):100
  • in<-->out traffic is filtered by Security Level

Security point of view once excluded

Additional Configuration

I add configuration for publish a web server to ASA5505 that is configured the internet NAPT.

NAT Setting

Convert the acquired outside interface addressed that is set by PPPoE.

Location Source Address Source Port Destination Address Destination Port
Internet Any(internet address) Any PPPoE Address 9980 *1
Home Any(no change) Any(no change) Web Server Address 80

*1 Change port from 80 to 9980 for Security Protection

ASA config

object network Web-01                             
 host 192.168.1.60
object service OpenWeb
 service tcp destination eq 9980
object service Web
 service tcp destination eq www

nat (outside,management) source static any any destination static interface Web-01 service OpenWeb Web 

FW Setting

Permit the traffic of HTTP. In this case, it is necessary to set permit AFTER DestNAT Port.

access-list Web extended permit tcp any any eq www  
access-group Web in interface outside

Trouble Shooting

By simply setting adds it can not expected behavior, and trial and error. A result, it seems there is a NAT setting order problem.

NAT setting, Static NAT rule has to be set before Internet NAPT. If not, it can not expected behavior.

nat (outside,management) source static any any destination static interface Web-01 service OpenWeb Web
nat (management,outside) source static any interface

Seen in ASDM is below

Conclusion

I succeed to publish a home Web server to the Internet with ASA5505.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork