Host Your Own Website

HOST YOUR OWN WEBSITE - SECURELY

Hosting your own website can be as simple as installing Apache2 on an old computer and connecting it to your network, but without proper security measures, you’re exposing not just your website, but your entire home network. without network segregation and basic protections, a compromised web server can become a gateway for attackers to access your laptops, smart TVs, doorbell cameras, and smartphones. This guide walks you through setting up a secure web server using Cisco networking equipment as part of a CCNA lab. While a complete setup with a firewall, router, and switch ensures proper isolation and security, if your only goal is to host a website, a simple setup with an old PC and a firewall will suffice.

Prerequisites

Before setting up your web server and securing your network, you'll need the proper Cisco hardware and supporting software to create a reliable and isolated environment. Below are the specific prerequisites:

  • Cisco ASA 5520 firewall (or similar model)
  • Cisco 2911 router (for VLANs and routing)
  • Cisco 2960X or 2960G managed switch (for network segmentation)
  • A SOHO router with IP passthrough or bridge mode enabled
  • An old laptop or PC running Ubuntu Server for hosting the website
  • A registered domain name, preferably managed through Cloudflare for DNS and security
  • Basic knowledge of networking, VLANs, ACLs, and Linux administration

Setting Up the Web Server

To host your website, you'll need to set up a web server on your old laptop or PC running Ubuntu Server. This guide will use Apache as the web server software.

  • Update the system to ensure all packages are up to date:

    sudo apt update && sudo apt upgrade -y

  • Install Apache:

    sudo apt install apache2 -y

  • Enable and start the Apache service:

    sudo systemctl enable apache2
sudo systemctl start apache2

  • Adjust firewall settings to allow web traffic:

    sudo ufw allow 'Apache Full'
sudo ufw enable

  • Verify that Apache is running:

    systemctl status apache2

  • Test the server by opening a web browser and navigating to:

    http://your-server-ip

If everything is set up correctly, you should see the default Apache welcome page.

Configuring the SOHO Router for IP Passthrough

To allow your Cisco ASA firewall to handle external network traffic, you need to configure your SOHO router to use IP passthrough (also called Bridge Mode on some devices). This setup ensures that your firewall receives a public IP from your ISP instead of a private NAT address.

Steps to Enable IP Passthrough:

  • Log in to your SOHO router’s web interface. Typically http://192.168.1.1.
  • Locate the IP Passthrough or Bridge Mode option under the WAN or LAN settings.
  • Select the port number that your firewall is connected to, or choose Manual/Fixed MAC Address and enter the MAC address of your Cisco ASA firewall's external interface.
  • Using the port number method ensures that any device plugged into that port will be on its own network.
  • Set the passthrough mode to DHCPS-fixed (or equivalent).
  • Save settings and reboot.
  • Ensure your ASA firewall is configured to obtain an IP via DHCP:
interface GigabitEthernet0/0
ip address dhcp setroute
no shutdown
show interface ip brief

Setting Up the ASA Firewall

The Cisco ASA firewall will act as the primary security barrier.

Step 1: Configure the Interfaces

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
 no shutdown

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.20.1.1 255.255.255.0
 no shutdown

Step 2: Enable DHCP for Internal Network

dhcpd address 10.20.1.100-10.20.1.200 inside
dhcpd enable inside

Step 3: Configure NAT/PAT

object network inside-net
 subnet 10.20.1.0 255.255.255.0
 nat (inside,outside) dynamic interface

Step 4: Allow HTTP/HTTPS Traffic to the Web Server

access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 80
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 443
access-group OUTSIDE_IN in interface outside

Step 5: Save the Configuration

write memory

Configuring the Router and VLANs

Step 1: Create VLANs

vlan 10
 name Web_Server
vlan 20
 name Internal_Network

Step 2: Assign VLANs to Interfaces

interface GigabitEthernet1/1
 switchport mode access
 switchport access vlan 10

interface GigabitEthernet1/2
 switchport mode access
 switchport access vlan 20

Step 3: Configure Trunking

interface GigabitEthernet0/0
 switchport mode trunk

Step 4: Configure Inter-VLAN Routing

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.20.10.1 255.255.255.0

interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.20.20.1 255.255.255.0

Step 5: Enable DHCP for Internal Network

ip dhcp pool VLAN20
 network 10.20.20.0 255.255.255.0
 default-router 10.20.20.1

Confguring the Switch

Step 1: Create VLANs on the Switch

vlan 10
 name Web_Server
vlan 20
 name Internal_Network

Step 2: Assign Ports to VLANs

interface GigabitEthernet1/1
 switchport mode access
 switchport access vlan 10

interface GigabitEthernet1/2
 switchport mode access
 switchport access vlan 20

Step 3: Configure Trunking Between Switch and Router

interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20

Step 4: Enable Spanning Tree Protocol (Optional)

spanning-tree vlan 10,20 priority 4096

Step 5: Save the Configuration

write memory

Setting Up NAT/PAT for External Access

Step 1: Configure Dynamic NAT for Internal Network

object network inside-net
 subnet 10.20.1.0 255.255.255.0
 nat (inside,outside) dynamic interface

Step 2: Configure Static NAT for Web Server

object network web-server
 host 10.20.1.10
 nat (inside,outside) static interface service tcp 80 80
 nat (inside,outside) static interface service tcp 443 443

Step 3: Allow HTTP/HTTPS Traffic from the Internet

access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 80
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 443
access-group OUTSIDE_IN in interface outside

Step 4: Verify NAT Translations

show xlate

Step 5: Save the Configuration

write memory

Implementing Access Control Lists (ACLs)

Step 1: Deny Unwanted Traffic from the Internet

access-list OUTSIDE_IN deny ip any any log

Step 2: Permit Web Traffic to the Web Server

access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 80
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 443

Step 3: Permit Internal Network Traffic to the Internet

access-list INSIDE_OUT permit ip any any

Step 4: Apply the ACLs to the Interfaces

access-group OUTSIDE_IN in interface outside
access-group INSIDE_OUT in interface inside

Step 5: Verify ACLs

show access-list

Configuring Cloudflare

  1. Add Domain: Sign up for Cloudflare and add your domain.
  2. DNS Records: Point A records to your public IP and enable Proxy (Orange Cloud).
  3. SSL/TLS: Set encryption to Full (Strict).
  4. Firewall: Use Firewall Rules to block unwanted traffic.
  5. Caching: Enable Standard caching.
nslookup yourdomain.com

Setup SSH for Remote Administration

Secure Shell (SSH) allows remote administration. We'll change the port to 2222.

Step 1: Install and Enable SSH

sudo apt update
sudo apt install openssh-server -y
sudo systemctl enable ssh
sudo systemctl start ssh

Step 2: Change SSH Port to 2222

sudo nano /etc/ssh/sshd_config

Change #Port 22 to Port 2222 and restart ssh.

Step 3: Allow SSH on Port 2222

sudo ufw allow 2222/tcp
sudo ufw reload
access-list OUTSIDE_IN permit tcp any host 10.20.1.10 eq 2222

Running Configurations

You can copy and paste the following running configurations directly.

ASA Running Config

!ASA running config working (443 & 2222)
! Set hostname
hostname ASA
! Secure authentication
enable secret YOUR_SECURE_PASSWORD
username admin password YOUR_SECURE_PASSWORD privilege 15
enable password YOUR_SECURE_PASSWORD encrypted
passwd YOUR_SECURE_PASSWORD encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.20.1.1 255.255.255.0
!
interface GigabitEthernet0/1.10
 vlan 10
 nameif VLAN10
 security-level 100
 ip address 10.20.10.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 50
 ip address 10.20.0.200 255.255.255.0
!
object network INSIDE-NET
 subnet 10.20.1.0 255.255.255.0
object network WEBSERVER
 host 10.20.10.2
object network WEBSERVER-SSH
 host 10.20.10.2
object-group network SSH-ALLOWED-HOSTS
 network-object host 24.141.144.67
 network-object host 107.190.4.196
access-list OUTSIDE-IN extended permit tcp any host 10.20.10.2 eq https
access-list OUTSIDE-IN extended permit tcp any host 10.20.10.2 eq 2222
!
object network INSIDE-NET
 nat (inside,outside) dynamic interface
object network WEBSERVER
 nat (inside,outside) static interface service tcp https https
object network WEBSERVER-SSH
 nat (inside,outside) static interface service tcp 2222 2222
access-group OUTSIDE-IN in interface outside
!
ssh 10.20.0.0 255.255.255.0 management
ssh timeout 30
ssh version 2
write memory

Router (R1) Running Config

hostname R1
ip dhcp pool VLAN10-WEB
 network 10.20.10.0 255.255.255.0
 default-router 10.20.10.1
 dns-server 8.8.8.8
 domain-name weitzman.info
ip dhcp pool VLAN2-DHCP
 network 10.20.2.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 10.20.2.10
interface GigabitEthernet0/0
 ip address 10.20.1.2 255.255.255.0
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.20.10.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.20.1.1

Switch (SW1) Running Config

hostname SW1
vlan 10
 name Web_Server
interface GigabitEthernet0/1
 switchport trunk allowed vlan 1,10
 switchport mode trunk
interface GigabitEthernet0/10
 switchport access vlan 10
 switchport mode access
interface Vlan1
 ip address 10.20.1.100 255.255.255.0
ip default-gateway 10.20.1.1
Back to Projects