Hosting your own website can be as simple as installing Apache2 on an old computer and connecting it to your network, but without proper security measures, youβre exposing not just your website, but your entire home network. Without network segregation and basic protections, a compromised web server can become a gateway for attackers to access your laptops, smart TVs, doorbell cameras, and smartphones. This guide walks you through setting up a secure web server using Cisco networking equipment as part of a CCNA lab. While a complete setup with a firewall, router, and switch ensures proper isolation and security, if your only goal is to host a website, a simple setup with an old PC and a firewall will suffice.
Before setting up your web server and securing your network, you'll need the proper Cisco hardware and supporting software to create a reliable and isolated environment. Below are the specific prerequisites:
To host your website, you'll need to set up a web server on your old laptop or PC running Ubuntu Server. This guide will use Apache as the web server software.
sudo apt update && sudo apt upgrade -ysudo apt install apache2 -ysudo systemctl enable apache2
sudo systemctl start apache2sudo ufw allow 'Apache Full'
sudo ufw enablesystemctl status apache2http://your-server-ipIf everything is set up correctly, you should see the default Apache welcome page.
To allow your Cisco ASA firewall to handle external network traffic, you need to configure your SOHO router to use IP passthrough (also called Bridge Mode on some devices). This setup ensures that your firewall receives a public IP from your ISP instead of a private NAT address.
http://192.168.1.1interface GigabitEthernet0/0
ip address dhcp setroute
no shutdownshow interface ip briefThe Cisco ASA firewall will act as the primary security barrier between your internal network and the internet. In this section, we will configure the basic settings, interfaces, and security levels.
Set up the outside (WAN) and inside (LAN) interfaces:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
no shutdown
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.20.1.1 255.255.255.0
no shutdownSet up the ASA as a DHCP server for devices on the inside network:
dhcpd address 10.20.1.100-10.20.1.200 inside
dhcpd enable insideEnable dynamic NAT for internal devices to access the internet:
object network inside-net
subnet 10.20.1.0 255.255.255.0
nat (inside,outside) dynamic interfaceSet up ACL rules to allow public access to your web server:
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 80
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 443
access-group OUTSIDE_IN in interface outsideEnsure the changes persist after a reboot:
write memoryOnce complete, your ASA firewall should be configured to manage both internal network security and external access to your web server.
The router will handle inter-VLAN routing and provide network segmentation. We'll configure VLANs, assign IP addresses, and enable DHCP.
Define the VLANs on the router:
vlan 10
name Web_Server
vlan 20
name Internal_NetworkAssign switch ports to VLANs:
interface GigabitEthernet1/1
switchport mode access
switchport access vlan 10
interface GigabitEthernet1/2
switchport mode access
switchport access vlan 20Enable trunking on the router interface to communicate with VLANs:
interface GigabitEthernet0/0
switchport mode trunkAssign IP addresses for inter-VLAN communication:
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 10.20.10.1 255.255.255.0
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 10.20.20.1 255.255.255.0Set up DHCP to assign IPs to devices in VLAN 20:
ip dhcp pool VLAN20
network 10.20.20.0 255.255.255.0
default-router 10.20.20.1After these configurations, your router will handle VLAN routing, assign DHCP addresses, and provide network segmentation.
The switch will handle VLAN segmentation and trunking between the router and connected devices. We will configure VLANs, assign ports, and enable trunking.
Define VLANs to match those configured on the router:
vlan 10
name Web_Server
vlan 20
name Internal_NetworkConfigure access ports for devices connecting to specific VLANs:
interface GigabitEthernet1/1
switchport mode access
switchport access vlan 10
interface GigabitEthernet1/2
switchport mode access
switchport access vlan 20Enable trunking to allow VLAN traffic between the switch and router:
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20Prevent network loops by enabling Spanning Tree Protocol (STP):
spanning-tree vlan 10,20 priority 4096Ensure the changes persist after a reboot:
write memoryWith these configurations, your switch will properly segment network traffic and facilitate VLAN communication with the router.
To allow internal devices to access the internet and map external requests to your web server, we will configure NAT (Network Address Translation) and PAT (Port Address Translation) on the ASA firewall.
Enable dynamic NAT so that internal devices can access the internet using the ASA's public IP:
object network inside-net
subnet 10.20.1.0 255.255.255.0
nat (inside,outside) dynamic interfaceMap an external public IP to your internal web server so it is accessible from the internet:
object network web-server
host 10.20.1.10
nat (inside,outside) static interface service tcp 80 80
nat (inside,outside) static interface service tcp 443 443Create an access control list (ACL) to permit incoming web traffic:
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 80
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 443
access-group OUTSIDE_IN in interface outsideCheck active NAT translations to confirm proper configuration:
show xlateEnsure your settings persist after a reboot:
write memoryOnce complete, your ASA firewall will translate internal network requests for external access and allow public HTTP/HTTPS traffic to reach your web server securely.
Access Control Lists (ACLs) help secure your network by defining which traffic is allowed or denied. In this section, we will configure ACLs on the ASA firewall to control access to internal resources.
To block unnecessary or potentially malicious traffic, create an ACL that denies all inbound traffic except for permitted services:
access-list OUTSIDE_IN deny ip any any logAllow only HTTP (port 80) and HTTPS (port 443) traffic from the internet to your web server:
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 80
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 443Allow devices on the internal network to access the internet:
access-list INSIDE_OUT permit ip any anyBind the ACLs to the appropriate interfaces:
access-group OUTSIDE_IN in interface outside
access-group INSIDE_OUT in interface insideCheck the active ACLs to ensure they are correctly applied:
show access-listEnsure the ACLs persist after a reboot:
write memoryWith these ACLs in place, your ASA firewall will filter traffic effectively, allowing only authorized requests while blocking potentially harmful connections.
Cloudflare provides DNS management, security features, and performance enhancements for your website. This section will guide you through setting up Cloudflare to protect and optimize your self-hosted website.
To get started, sign up for a Cloudflare account and add your domain:
yourdomain.com) and click Continue.Cloudflare will scan for existing DNS records. Ensure you have the following entries:
Example DNS Configuration:
A @ 203.0.113.10 (Your Public IP)
A www 203.0.113.10 (Your Public IP)Ensure the Proxy Status is enabled (orange cloud βοΈ) to route traffic through Cloudflare.
To secure your website, configure SSL settings:
To protect your site from malicious traffic, set up firewall rules:
1. Go to Firewall > Firewall Rules.
2. Create a new rule to allow only specific countries or block certain threats.
3. Example: Block all traffic except your country.Enable caching to improve load times:
Check that Cloudflare is correctly routing traffic to your server:
nslookup yourdomain.com
dig yourdomain.com +shortOnce all settings are configured:
https://yourdomain.com) and verify it loads properly.By setting up Cloudflare, your self-hosted website will benefit from enhanced security, DDoS protection, and performance optimization.
After configuring your network and web server, itβs crucial to test connectivity, security, and performance to ensure everything is working as expected.
Check if your web server is accessible from a browser by entering:
http://yourdomain.comIf the page doesnβt load, check if Apache is running:
systemctl status apache2Ensure your domain is correctly pointing to your server:
nslookup yourdomain.com
dig yourdomain.com +shortCheck that NAT and ACLs are functioning correctly on the ASA firewall:
show xlate
show natVerify applied access control lists:
show access-listCheck if your server is reachable from outside your network:
ping yourdomain.comEnsure only the necessary ports are open:
nmap -Pn yourdomain.comCheck if Cloudflare is active by running:
curl -I https://yourdomain.comLook for the header server: cloudflare in the response.
Ensure all changes persist after a reboot:
write memoryMonitor system logs for any errors:
tail -f /var/log/syslogBy completing these tests, you can confirm that your web server, firewall, DNS, and security configurations are functioning properly.
Secure Shell (SSH) allows remote administration of your server. By changing the default SSH port to 2222, we reduce the risk of automated attacks targeting port 22. This section covers installing, configuring, and securing SSH access.
Ensure OpenSSH is installed on your server:
sudo apt update
sudo apt install openssh-server -yEnable and start the SSH service:
sudo systemctl enable ssh
sudo systemctl start sshEdit the SSH configuration file to change the default SSH port:
sudo nano /etc/ssh/sshd_configFind the line that says:
#Port 22Uncomment it and change it to:
Port 2222Save the file (CTRL+X, then Y, then ENTER), then restart SSH to apply the changes:
sudo systemctl restart sshIf UFW (Uncomplicated Firewall) is enabled, allow connections on port 2222:
sudo ufw allow 2222/tcp
sudo ufw reloadIf using an ASA firewall, allow SSH access with an ACL:
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 2222From another computer, connect using the new SSH port:
ssh -p 2222 [email protected]To prevent direct root access over SSH, edit the SSH configuration file:
sudo nano /etc/ssh/sshd_configFind the line:
#PermitRootLogin yesChange it to:
PermitRootLogin noSave the file and restart SSH:
sudo systemctl restart sshEnsure SSH is listening on the correct port:
ss -tln | grep 2222After completing these steps, your server will be securely accessible via SSH on port 2222, reducing exposure to automated attacks on port 22.
While changing the SSH port improves security, having it open and protected only by a username and password is not ideal. Automated bots constantly scan for open SSH ports and attempt brute-force attacks. To enhance security, we need to monitor access logs, implement Fail2Ban, and restrict SSH access to specific IP addresses.
Check SSH authentication logs to see if bots are trying to brute-force access:
sudo journalctl -u ssh --no-pager | grep 'Failed password'or
sudo tail -f /var/log/auth.logIf you notice multiple failed login attempts from different IP addresses, it indicates brute-force attempts, and additional security measures are needed.
Fail2Ban helps protect against brute-force attacks by banning IPs that fail multiple login attempts.
sudo apt update
sudo apt install fail2ban -yAfter installation, create a local Fail2Ban configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localEdit the configuration file to enable SSH protection:
sudo nano /etc/fail2ban/jail.localFind the section for SSH and modify it as follows:
[sshd]
enabled = true
port = 2222
maxretry = 5
bantime = 1h
findtime = 10mThis configuration:
Save the file (CTRL+X, then Y, then ENTER) and restart Fail2Ban:
sudo systemctl restart fail2ban
sudo systemctl enable fail2banFor even tighter security, limit SSH access to trusted IPs using UFW (Uncomplicated Firewall):
sudo ufw allow from YOUR_IP to any port 2222Replace YOUR_IP with your trusted IP address.
If using an ASA firewall, restrict SSH access with an ACL:
access-list OUTSIDE_IN permit tcp host YOUR_IP host 10.20.1.10 eq 2222After applying the restrictions, test SSH access from an allowed IP:
ssh -p 2222 [email protected]Then, test SSH from an unauthorized IP to ensure access is denied.
Ensure all changes persist after a reboot:
sudo systemctl restart ssh
sudo systemctl restart fail2banMonitor logs to confirm Fail2Ban is blocking unwanted access:
sudo fail2ban-client status sshdBy implementing these additional security measures, you significantly reduce the risk of brute-force attacks and unauthorized SSH access.
Throughout this guide, weβve successfully set up and secured a self-hosted web server using Cisco networking gear. We covered:
For someone with a **CCNA-level** understanding of networking and basic Linux administration, completing this setup should take approximately:
If you followed each section manually, you should now have a fully functional and secured self-hosted web server. However, if you want to skip the manual configurations and just copy-paste the settings, I've included the **running configurations for the ASA firewall, router, and switch** below.
With this setup, you now have complete control over your web hosting environment while maintaining enterprise-level security. If youβd like to expand further, consider adding:
Thanks for following along! If you have any questions or run into issues, feel free to reach out.
If you prefer to skip the manual setup, you can copy and paste the following running configuration directly into your ASA.
!ASA running config working (443 & 2222)
! Set hostname
hostname ASA
! Secure authentication
enable secret YOUR_SECURE_PASSWORD
username admin password YOUR_SECURE_PASSWORD privilege 15
enable password YOUR_SECURE_PASSWORD encrypted
passwd YOUR_SECURE_PASSWORD encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.20.1.1 255.255.255.0
!
interface GigabitEthernet0/1.10
vlan 10
nameif VLAN10
security-level 100
ip address 10.20.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 50
ip address 10.20.0.200 255.255.255.0
!
object network INSIDE-NET
subnet 10.20.1.0 255.255.255.0
object network WEBSERVER
host 10.20.10.2
object network WEBSERVER-SSH
host 10.20.10.2
object-group network SSH-ALLOWED-HOSTS
network-object host 24.141.144.67
network-object host 107.190.4.196
access-list OUTSIDE-IN extended permit tcp any host 10.20.10.2 eq https
access-list OUTSIDE-IN extended permit tcp any host 10.20.10.2 eq 2222
!
object network INSIDE-NET
nat (inside,outside) dynamic interface
object network WEBSERVER
nat (inside,outside) static interface service tcp https https
object network WEBSERVER-SSH
nat (inside,outside) static interface service tcp 2222 2222
access-group OUTSIDE-IN in interface outside
!
ssh 10.20.0.0 255.255.255.0 management
ssh timeout 30
ssh version 2
write memory!R1 running config
Current configuration : 1678 bytes
!
! Last configuration change at 04:27:02 UTC Wed Feb 5 2025
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
! card type command needed for slot/vwic-slot 0/0
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.20.2.1 10.20.2.10
!
ip dhcp pool VLAN10-WEB
network 10.20.10.0 255.255.255.0
default-router 10.20.10.1
dns-server 8.8.8.8
domain-name weitzman.info
!
ip dhcp pool VLAN2-DHCP
network 10.20.2.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.20.2.10
lease 7
!
!
!
ip name-server 8.8.8.8
ip name-server 1.1.1.1
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2911/K9 sn FGL152012VH
!
!
object-group network OBJ-VLAN10
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.20.1.2 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.20.2.10 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 10.20.10.1 255.255.255.0
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.20.1.1
!
!
!
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end
!SW1 running config
! Version and System Settings
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SW1
boot-start-marker
boot-end-marker
! VLAN and Spanning Tree Configuration
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
! VLAN Configuration
vlan 10
name Web_Server
! Interface Configurations
interface GigabitEthernet0/1
switchport trunk allowed vlan 1,10
switchport mode trunk
interface GigabitEthernet0/2
switchport mode trunk
shutdown
interface GigabitEthernet0/10
switchport access vlan 10
switchport mode access
interface Vlan1
ip address 10.20.1.100 255.255.255.0
interface Vlan10
no ip address
! Default Gateway
ip default-gateway 10.20.1.1
! Enable HTTP/HTTPS (Can be disabled for security)
ip http server
ip http secure-server
! SSH Configuration (Will Require a New RSA Key)
ip ssh version 2
! Console and Remote Access Settings
line con 0
exec-timeout 30 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login
! Save Configuration
write memory
I'm always open to networking and discussing opportunities in IT and cyber security Feel free to reach out via [LinkedIn], [GitHub], or email. Letβs build something great together!