Answer the question
In order to leave comments, you need to log in
How to make the server not visible on the Internet?
In general, the essence is this:
We have Cisco ASA as a firewall, standing on the border between the internal (local) network and the external (Internet), NAT is configured on the cisco and the address 192.168.1.1 is translated into some external ip 10.0.0.1
This external ip is pinged accordingly, and if desired, it is scanned for open ports .. The
question is - how can I hide this IP address using asu (cisco asa) or at least make it so that it is not possible to scan the host for open ports?
Answer the question
In order to leave comments, you need to log in
On the ASA, you need to create 2 zones (for example, trust and untrust) and separate the interface-to-provider-side (in untrust) and the interface-to-server-side (in trust) into them.
On interfaces, set security-level:
!
interface gig0/0
description --to_ISP--
security-level 0
nameif untrust
!
int gig0/1
des --to_server--
security-level 100
nameif trust
!
NAT config:
object network server_local
host 192.168.1.2
object network ISP_peering
host 111.111.111.111
!
object network out_nat
nat (trust,untrust) dynamic ISP_peering #or via static mode
!
So you enable stateful traffic processing and the server will be unavailable from the outside (the traffic flow will have to initiate the server). If there is a need to get the availability of ports (for example http) of the server outside, then just add the ACL:
access-list outside_access extended permit tcp any object server_local eq www
access-group outside_access in interface untrust
Naturally, this is the minimum config and it will not be enough for complete happiness
Works for TCP: in iptables for unwanted connections, instead of writing -j REJECT --reject-with tcp-reset. Thus, it will be almost impossible to distinguish between closed and filtered ports (only by the difference in microseconds, which will not work with jitter of Internet connections).
service iptables panic
Or another similar method.
It will also help a lot: turn off all services, leave only the kernel.
If there are no open ports on the address, then there are no services on it. Is that exactly what you want?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question