Cisco ASA 5505 COnfiguration

Hello,

I just installed a Cisco ASA 5505 and we now cannot access the following URL from inside the private network:
https://74.92.127.249:444/default.aspx

Result of the command: "show running-config"



: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password te33L/h.Ec.i2D8/ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 99
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.92.127.249 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd /0/HIjF2.wDfVoEk encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in remark HTTP
access-list outside_access_in extended permit tcp any any eq 81
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq 444
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in remark LMS
access-list outside_access_in extended permit tcp any any eq 4545
access-list outside_access_in extended permit tcp any any eq ftp-data
access-list outside_access_in extended permit tcp any any eq ssh
access-list pdg_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.224
access-list pdgroup_splitTunnelAcl standard permit any
access-list pdg_splitTunnelAcl_1 standard permit any
access-list pdgroup_splitTunnelAcl_1 standard permit any
access-list pdgroup_splitTunnelAcl_2 standard permit any
access-list pdgroup_splitTunnelAcl_3 standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPSEC 10.1.1.1-10.1.1.25 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 81 192.168.1.2 81 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.1.2 444 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 4545 192.168.1.3 4545 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface imap4 192.168.1.2 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.2 ftp-data netmask 255.255.255.255
static (inside,inside) tcp 10.1.1.0 https 192.168.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.2 ssh netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.92.127.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server IPSECVPNs protocol radius
aaa-server IPSECVPNs host 192.168.1.2
 timeout 5
 key
http server enable
http 192.168.1.0 255.255.255.0 inside
http 66.7.190.124 255.255.255.255 outside
http redirect inside 444
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set  
crypto ipsec transform-set
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 inside
ssh 66.7.190.124 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!

!
!
webvpn
 port 44343
group-policy _1 internal
group-policy _1 attributes
 wins-server value 192.168.1.2
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value _splitTunnelAcl_3
 default-domain value
group-policy  internal
group-policy  attributes
 wins-server value 192.168.1.2
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value _splitTunnelAcl_2
 default-domain value

username admin password tunnel-group xxx type ipsec-ra
tunnel-group xxxxx general-attributes
 address-pool IPSEC
 authentication-server-group IPSECVPNs
 default-group-policy _1
tunnel-group  ipsec-attributes
 pre-shared-key *
prompt hostname context

: end
aromeo409Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
What exactly are you trying to do here?  Since you are using the outside ASA interface IP in your URL, I assume you are trying to access the ASDM on the ASA for management of the firewall...is this correct?  If so, you should use the inside interface IP from the inside instead of the outside interface IP.  For example,

https://192.168.1.1

If this is not what you are trying to do, please elaborate...
0
aromeo409Author Commented:
We have a Small Business Server and this is the address to the company portal from the Internet. Our users have some hard coded url links to the https://74.92.127.249:444/default.aspx address. When they are in the office they cannot access these url's.
0
batry_boyCommented:
Add the following command and see if this helps...

same-security-traffic permit intra-interface

I don't think it will, but you can give it a try...I've never tried it for allowing traffic to enter an interface that it just exited, but I know that command is specifically for allowing traffic that just entered an interface to exit back out that same interface.  I just don't know if it will allow that in reverse.

See the following URL for more info on that command:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

aromeo409Author Commented:
I tried and it still does not work.

Thanks, for your help.
0
batry_boyCommented:
I don't think you're going to be able to do what you're wanting to do.  I think you need to have your users use a separate shortcut that points to the inside private address when they're in the office.
0
aromeo409Author Commented:
I'm just going to update DNS and have them use the FQDN. Thanks, for all of your help.
0
batry_boyCommented:
That's the best way to do it...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.