troubleshooting Question

Inside netw cannot access own website in DMZ zone (Cisco ASA)

Avatar of urfried
urfriedFlag for Netherlands asked on
Software FirewallsCisco
15 Comments2 Solutions1184 ViewsLast Modified:
Hi gents,

Here a headbreaking problem i am not able to solve.
It's quite a known problem with PIX and ASA's but unfortunately i ain't seeing it anymore....
Who is ?!?

Thanx a lot

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.01.05 13:34:56 =~=~=~=~=~=~=~=~=~=~=~=
ASA Version 8.0(2) 
!
hostname TPNL03FW01
domain ***
names
 
dns-guard
!
interface Ethernet0/0
 description internet side
 nameif outside
 security-level 0
 ip address 74.110.134.66 255.255.255.192 
!
interface Ethernet0/1
 description LAN TP
 nameif inside
 security-level 100
 ip address 10.02.48.7 255.255.248.0 
!
interface Ethernet0/2
 description DMZ
 speed 100    
 duplex full
 nameif DMZ
 security-level 50
 ip address 172.16.48.1 255.255.255.0 
!
interface Management0/0
 description Management interface
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa802-k8.bin
boot system disk0:/asa712-k8.bin
ftp mode passive
clock timezone Ams 1
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
 name-server 217.21.244.66
 name-server 217.21.244.7
 domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
 
object-group network DNS_SERVERS_INSIDE
 network-object TPNL03S002-10.02.48.72 255.255.255.255
 network-object TPNL03S001-10.02.48.71 255.255.255.255
 
object-group network WEBSITES
 description TP websites
 network-object host www.TP-comm.com-78.108.130.96
 network-object host www.monteurnet.nl-74.110.134.97
 network-object host www.ontvangstnet.nl-74.110.134.98
 network-object host www.repairnet.nl-74.110.134.99
 network-object host www.retournet.nl-74.110.134.100
 network-object host www.collexion.nl-74.110.134.101
 network-object host www.e-repair.nl-74.110.134.102
 network-object host www.TP-communications.net-74.110.134.103
 network-object host www.TP-reparatieservice-s.nl-74.110.134.104
 network-object host www.retourmobiel.nl-74.110.134.105
 network-object host www.TPservice.nl-74.110.134.106
 network-object host www.TPcommunications.com.nl-74.110.134.107
 network-object host www.TP-communications.nl-74.110.134.108
 network-object host www.TP-china-mobile.com-74.110.134.109
 network-object host www.TP-apac-mobile.com-74.110.134.110
 network-object host www.TP-spm.nl-74.110.134.111
 network-object host www.TP-communications.com-74.110.134.112
 network-object host TEST-74.110.134.113
 network-object host ftp.TP-comm.com-74.110.134.74
 network-object host NL03MAIL-74.110.134.70
 network-object host www.TP-telmodule.nl-74.110.134.114
 network-object host www.TP-sret.nl-74.110.134.115
 
object-group network INSIDE-NETWORKS
 description 10.02.48.0/21
 network-object 10.02.48.0 255.255.248.0
 
object-group network WEBSITES_REAL
 description TP websites
 network-object host TPNL03S012-172.16.48.100
 network-object host TPNL03S013-172.16.48.101
 network-object host TPNL03S013-172.16.48.102
 network-object host TPNL03S013-172.16.48.103
 network-object host TPNL03S008-172.16.48.104
 network-object host TPNL03S008-172.16.48.66
 network-object host TPNL03S008-172.16.48.67
 network-object host TPNL03S008-172.16.48.68
 network-object host TPNL03S008-172.16.48.69
 network-object host TPNL03S008-172.16.48.70
 network-object host TPNL03S008-172.16.48.71
 network-object host TPNL03S008-172.16.48.72
 network-object host TPNL03S008-172.16.48.73
 network-object host TPNL03S008-172.16.48.74
 network-object host TPNL03S008-172.16.48.75
 network-object host TPNL03S008-172.16.48.76
 network-object host TPNL03S008-172.16.48.77
 network-object host TPNL03S008-172.16.48.78
 network-object host TPNL03S008-172.16.48.79
 network-object host TPNL03S008-172.16.48.80
 network-object host TPNL03S008-172.16.48.81
 network-object host TPNL03S008-172.16.48.82
 network-object host TPNL03S008-172.16.48.83
 network-object host TPNL03S008-172.16.48.84
 network-object host TPNL03S008-172.16.48.85
 network-object host TPNL03S008-172.16.48.86
 network-object host TPNL03S008-172.16.48.87
 network-object host TPNL03S008-172.16.48.88
 network-object host TPNL03S008-172.16.48.89
 network-object host TPNL03S008-172.16.48.90
 network-object host TPNL03S008-172.16.48.91
 network-object host TPNL03S008-172.16.48.92
 network-object host TPNL03S008-172.16.48.93
 network-object host TPNL03S008-172.16.48.94
 network-object host TPNL03S004-172.16.48.95
 network-object host TPNL03S008-172.16.48.96
 network-object host TPNL03S008-172.16.48.97
 network-object host TPNL03S008-172.16.48.98
 network-object host TPNL03S008-172.16.48.99
 network-object host TPNL03S008-172.16.48.105
 
object-group network TP-CZ-NETWORKS
 description TP CZ networks 
 network-object 10.02.60.0 255.255.252.0
 
object-group service WEBSERVICE_TCP tcp
 description web server access         
 port-object eq www
 port-object eq https
 
object-group service FTPSERVICE_TCP tcp
 description ftp server ports
 port-object eq ftp
 
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
 
access-list dmz_access_in extended permit udp host TPNL03S008-172.16.48.66 object-group DNS_SERVERS_INSIDE eq domain 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group DNS_SERVERS_INSIDE eq domain 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.104 host 10.02.48.73 object-group WEBSERVICE_TCP 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group EXTERNAL-CUSTOMERS eq ftp 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group EXTERNAL-CUSTOMERS eq www 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group EXTERNAL-CUSTOMERS eq https 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 host TPNL03S007-10.02.48.79 eq www 
access-list dmz_access_in extended permit icmp host TPNL03S008-172.16.48.66 any echo-reply 
access-list dmz_access_in extended permit icmp 172.16.32.0 255.255.248.0 any echo-reply 
access-list dmz_access_in extended permit icmp host TPNL03S013-172.16.48.101 any echo-reply 
access-list dmz_access_in extended permit udp host TPNL03S013-172.16.48.101 object-group DNS_SERVERS_INSIDE eq domain 
access-list dmz_access_in extended permit tcp host TPNL03S013-172.16.48.101 object-group DNS_SERVERS_INSIDE eq domain 
 
access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 
access-list outside_access_in extended permit tcp any host www.TP-communications.com-74.110.134.112 object-group FTPSERVICE_TCP 
 
access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.32.0 255.255.248.0 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 
access-list NO-NAT extended permit ip any VPN-CLIENT-10.02.53.32 255.255.255.224 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group TP-CZ-NETWORKS 
access-list NO-NAT extended permit ip object-group Int-NETWORKS 172.16.32.0 255.255.248.0 
access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 
access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 
 
access-list DMZ_nat0_outbound extended permit ip object-group WEBSITES_REAL host 161.89.56.220 
access-list DMZ_nat0_outbound extended permit ip any 192.168.0.0 255.255.0.0               
access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.02.53.32 255.255.255.224 
access-list DMZ_nat0_outbound extended permit ip 10.02.48.0 255.255.248.0 host 161.89.56.220 
 
access-list acl_outside extended permit tcp any host NL03MAIL-74.110.134.70 eq www 
access-list acl_outside extended permit tcp any host NL03MAIL-74.110.134.70 eq https 
 
pager lines 24
 
logging enable
logging timestamp
logging buffer-size 75000
logging monitor notifications
logging buffered debugging
logging trap notifications
logging history emergencies
logging asdm notifications
logging ftp-bufferwrap
logging ftp-server TPNL03S013-172.16.48.102 . urfried ****
 
no logging message 106014
no logging message 106006
no logging message 106001
no logging message 313001
no logging message 106023
no logging message 106020
no logging message 710003
no logging message 304001
 
mtu outside 3000
mtu inside 1500
mtu DMZ 1500
mtu DMZ-VPN 1500
mtu management 1500
 
ip local pool VPNClient VPN-CLIENT-10.02.53.32-10.02.53.63 mask 255.255.255.224
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip verify reverse-path interface management
 
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
 
global (outside) 1 74.110.134.90
global (outside) 2 74.110.134.91
 
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.02.48.0 255.255.248.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
 
static (inside,outside) NL003MAIL-74.110.134.70 TPNL03M073-10.02.48.91 netmask 255.255.255.255 
static (DMZ,outside) www.monteurnet.nl-74.110.134.97 TPNL03S008-172.16.48.67 netmask 255.255.255.255 
static (DMZ,outside) www.ontvangstnet.nl-74.110.134.98 TPNL03S008-172.16.48.68 netmask 255.255.255.255 
static (DMZ,outside) www.repairnet.nl-74.110.134.99 TPNL03S008-172.16.48.69 netmask 255.255.255.255 
static (DMZ,outside) www.retournet.nl-74.110.134.100 TPNL03S008-172.16.48.70 netmask 255.255.255.255 
static (DMZ,outside) www.collexion.nl-74.110.134.101 TPNL03S008-172.16.48.71 netmask 255.255.255.255 
static (DMZ,outside) www.e-repair.nl-74.110.134.102 TPNL03S008-172.16.48.72 netmask 255.255.255.255 dns 
static (DMZ,outside) www.TP-communications.net-74.110.134.103 TPNL03S008-172.16.48.73 netmask 255.255.255.255 
static (DMZ,outside) www.TP-reparatieservice-s.nl-74.110.134.104 TPNL03S008-172.16.48.74 netmask 255.255.255.255 
static (DMZ,outside) www.TPservice.nl-74.110.134.106 TPNL03S008-172.16.48.84 netmask 255.255.255.255 
static (DMZ,outside) www.retourmobiel.nl-74.110.134.105 TPNL03S008-172.16.48.82 netmask 255.255.255.255 
static (DMZ,outside) www.TPcommunications.com.nl-74.110.134.107 TPNL03S008-172.16.48.87 netmask 255.255.255.255 
static (DMZ,outside) www.TP-communications.nl-74.110.134.108 TPNL03S008-172.16.48.88 netmask 255.255.255.255 
static (DMZ,outside) www.TP-china-mobile.com-74.110.134.109 TPNL03S008-172.16.48.92 netmask 255.255.255.255 
static (DMZ,outside) www.TP-apac-mobile.com-74.110.134.110 TPNL03S008-172.16.48.93 netmask 255.255.255.255 
static (DMZ,outside) www.TP-spm.nl-74.110.134.111 TPNL03S008-172.16.48.94 netmask 255.255.255.255 
static (DMZ,outside) www.TP-communications.com-74.110.134.112 TPNL03S013-172.16.48.102 netmask 255.255.255.255 dns 
static (DMZ,outside) ftp.TP-comm.com-74.110.134.74 TPNL03S012-172.16.48.100 netmask 255.255.255.255 
static (DMZ,outside) www.TP-comm.com-78.108.130.96 TPNL03S008-172.16.48.89 netmask 255.255.255.255 
static (DMZ,outside) TEST-74.110.134.113 TPNL03S013-172.16.48.103 netmask 255.255.255.255 
static (DMZ,outside) www.TP-telmodule.nl-74.110.134.114 TPNL03S008-172.16.48.104 netmask 255.255.255.255 
static (DMZ,outside) www.TP-sret.nl-74.110.134.115 TPNL03S008-172.16.48.105 netmask 255.255.255.255 
 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface DMZ
 
route outside 0.0.0.0 0.0.0.0 74.110.134.126 10
route inside 10.0.0.0 255.0.0.0 10.02.48.5 10
 
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 2 Answers and 15 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 15 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros