Link to home
Start Free TrialLog in
Avatar of urfried
urfriedFlag for Netherlands

asked on

Inside netw cannot access own website in DMZ zone (Cisco ASA)

Hi gents,

Here a headbreaking problem i am not able to solve.
It's quite a known problem with PIX and ASA's but unfortunately i ain't seeing it anymore....
Who is ?!?

Thanx a lot

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.01.05 13:34:56 =~=~=~=~=~=~=~=~=~=~=~=
ASA Version 8.0(2) 
!
hostname TPNL03FW01
domain ***
names
 
dns-guard
!
interface Ethernet0/0
 description internet side
 nameif outside
 security-level 0
 ip address 74.110.134.66 255.255.255.192 
!
interface Ethernet0/1
 description LAN TP
 nameif inside
 security-level 100
 ip address 10.02.48.7 255.255.248.0 
!
interface Ethernet0/2
 description DMZ
 speed 100    
 duplex full
 nameif DMZ
 security-level 50
 ip address 172.16.48.1 255.255.255.0 
!
interface Management0/0
 description Management interface
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa802-k8.bin
boot system disk0:/asa712-k8.bin
ftp mode passive
clock timezone Ams 1
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
 name-server 217.21.244.66
 name-server 217.21.244.7
 domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
 
object-group network DNS_SERVERS_INSIDE
 network-object TPNL03S002-10.02.48.72 255.255.255.255
 network-object TPNL03S001-10.02.48.71 255.255.255.255
 
object-group network WEBSITES
 description TP websites
 network-object host www.TP-comm.com-78.108.130.96
 network-object host www.monteurnet.nl-74.110.134.97
 network-object host www.ontvangstnet.nl-74.110.134.98
 network-object host www.repairnet.nl-74.110.134.99
 network-object host www.retournet.nl-74.110.134.100
 network-object host www.collexion.nl-74.110.134.101
 network-object host www.e-repair.nl-74.110.134.102
 network-object host www.TP-communications.net-74.110.134.103
 network-object host www.TP-reparatieservice-s.nl-74.110.134.104
 network-object host www.retourmobiel.nl-74.110.134.105
 network-object host www.TPservice.nl-74.110.134.106
 network-object host www.TPcommunications.com.nl-74.110.134.107
 network-object host www.TP-communications.nl-74.110.134.108
 network-object host www.TP-china-mobile.com-74.110.134.109
 network-object host www.TP-apac-mobile.com-74.110.134.110
 network-object host www.TP-spm.nl-74.110.134.111
 network-object host www.TP-communications.com-74.110.134.112
 network-object host TEST-74.110.134.113
 network-object host ftp.TP-comm.com-74.110.134.74
 network-object host NL03MAIL-74.110.134.70
 network-object host www.TP-telmodule.nl-74.110.134.114
 network-object host www.TP-sret.nl-74.110.134.115
 
object-group network INSIDE-NETWORKS
 description 10.02.48.0/21
 network-object 10.02.48.0 255.255.248.0
 
object-group network WEBSITES_REAL
 description TP websites
 network-object host TPNL03S012-172.16.48.100
 network-object host TPNL03S013-172.16.48.101
 network-object host TPNL03S013-172.16.48.102
 network-object host TPNL03S013-172.16.48.103
 network-object host TPNL03S008-172.16.48.104
 network-object host TPNL03S008-172.16.48.66
 network-object host TPNL03S008-172.16.48.67
 network-object host TPNL03S008-172.16.48.68
 network-object host TPNL03S008-172.16.48.69
 network-object host TPNL03S008-172.16.48.70
 network-object host TPNL03S008-172.16.48.71
 network-object host TPNL03S008-172.16.48.72
 network-object host TPNL03S008-172.16.48.73
 network-object host TPNL03S008-172.16.48.74
 network-object host TPNL03S008-172.16.48.75
 network-object host TPNL03S008-172.16.48.76
 network-object host TPNL03S008-172.16.48.77
 network-object host TPNL03S008-172.16.48.78
 network-object host TPNL03S008-172.16.48.79
 network-object host TPNL03S008-172.16.48.80
 network-object host TPNL03S008-172.16.48.81
 network-object host TPNL03S008-172.16.48.82
 network-object host TPNL03S008-172.16.48.83
 network-object host TPNL03S008-172.16.48.84
 network-object host TPNL03S008-172.16.48.85
 network-object host TPNL03S008-172.16.48.86
 network-object host TPNL03S008-172.16.48.87
 network-object host TPNL03S008-172.16.48.88
 network-object host TPNL03S008-172.16.48.89
 network-object host TPNL03S008-172.16.48.90
 network-object host TPNL03S008-172.16.48.91
 network-object host TPNL03S008-172.16.48.92
 network-object host TPNL03S008-172.16.48.93
 network-object host TPNL03S008-172.16.48.94
 network-object host TPNL03S004-172.16.48.95
 network-object host TPNL03S008-172.16.48.96
 network-object host TPNL03S008-172.16.48.97
 network-object host TPNL03S008-172.16.48.98
 network-object host TPNL03S008-172.16.48.99
 network-object host TPNL03S008-172.16.48.105
 
object-group network TP-CZ-NETWORKS
 description TP CZ networks 
 network-object 10.02.60.0 255.255.252.0
 
object-group service WEBSERVICE_TCP tcp
 description web server access         
 port-object eq www
 port-object eq https
 
object-group service FTPSERVICE_TCP tcp
 description ftp server ports
 port-object eq ftp
 
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
 
access-list dmz_access_in extended permit udp host TPNL03S008-172.16.48.66 object-group DNS_SERVERS_INSIDE eq domain 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group DNS_SERVERS_INSIDE eq domain 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.104 host 10.02.48.73 object-group WEBSERVICE_TCP 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group EXTERNAL-CUSTOMERS eq ftp 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group EXTERNAL-CUSTOMERS eq www 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group EXTERNAL-CUSTOMERS eq https 
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 host TPNL03S007-10.02.48.79 eq www 
access-list dmz_access_in extended permit icmp host TPNL03S008-172.16.48.66 any echo-reply 
access-list dmz_access_in extended permit icmp 172.16.32.0 255.255.248.0 any echo-reply 
access-list dmz_access_in extended permit icmp host TPNL03S013-172.16.48.101 any echo-reply 
access-list dmz_access_in extended permit udp host TPNL03S013-172.16.48.101 object-group DNS_SERVERS_INSIDE eq domain 
access-list dmz_access_in extended permit tcp host TPNL03S013-172.16.48.101 object-group DNS_SERVERS_INSIDE eq domain 
 
access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP 
access-list outside_access_in extended permit tcp any host www.TP-communications.com-74.110.134.112 object-group FTPSERVICE_TCP 
 
access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.32.0 255.255.248.0 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS 
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 
access-list NO-NAT extended permit ip any VPN-CLIENT-10.02.53.32 255.255.255.224 
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group TP-CZ-NETWORKS 
access-list NO-NAT extended permit ip object-group Int-NETWORKS 172.16.32.0 255.255.248.0 
access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248 
access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0 
 
access-list DMZ_nat0_outbound extended permit ip object-group WEBSITES_REAL host 161.89.56.220 
access-list DMZ_nat0_outbound extended permit ip any 192.168.0.0 255.255.0.0               
access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.02.53.32 255.255.255.224 
access-list DMZ_nat0_outbound extended permit ip 10.02.48.0 255.255.248.0 host 161.89.56.220 
 
access-list acl_outside extended permit tcp any host NL03MAIL-74.110.134.70 eq www 
access-list acl_outside extended permit tcp any host NL03MAIL-74.110.134.70 eq https 
 
pager lines 24
 
logging enable
logging timestamp
logging buffer-size 75000
logging monitor notifications
logging buffered debugging
logging trap notifications
logging history emergencies
logging asdm notifications
logging ftp-bufferwrap
logging ftp-server TPNL03S013-172.16.48.102 . urfried ****
 
no logging message 106014
no logging message 106006
no logging message 106001
no logging message 313001
no logging message 106023
no logging message 106020
no logging message 710003
no logging message 304001
 
mtu outside 3000
mtu inside 1500
mtu DMZ 1500
mtu DMZ-VPN 1500
mtu management 1500
 
ip local pool VPNClient VPN-CLIENT-10.02.53.32-10.02.53.63 mask 255.255.255.224
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip verify reverse-path interface management
 
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
 
global (outside) 1 74.110.134.90
global (outside) 2 74.110.134.91
 
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.02.48.0 255.255.248.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
 
static (inside,outside) NL003MAIL-74.110.134.70 TPNL03M073-10.02.48.91 netmask 255.255.255.255 
static (DMZ,outside) www.monteurnet.nl-74.110.134.97 TPNL03S008-172.16.48.67 netmask 255.255.255.255 
static (DMZ,outside) www.ontvangstnet.nl-74.110.134.98 TPNL03S008-172.16.48.68 netmask 255.255.255.255 
static (DMZ,outside) www.repairnet.nl-74.110.134.99 TPNL03S008-172.16.48.69 netmask 255.255.255.255 
static (DMZ,outside) www.retournet.nl-74.110.134.100 TPNL03S008-172.16.48.70 netmask 255.255.255.255 
static (DMZ,outside) www.collexion.nl-74.110.134.101 TPNL03S008-172.16.48.71 netmask 255.255.255.255 
static (DMZ,outside) www.e-repair.nl-74.110.134.102 TPNL03S008-172.16.48.72 netmask 255.255.255.255 dns 
static (DMZ,outside) www.TP-communications.net-74.110.134.103 TPNL03S008-172.16.48.73 netmask 255.255.255.255 
static (DMZ,outside) www.TP-reparatieservice-s.nl-74.110.134.104 TPNL03S008-172.16.48.74 netmask 255.255.255.255 
static (DMZ,outside) www.TPservice.nl-74.110.134.106 TPNL03S008-172.16.48.84 netmask 255.255.255.255 
static (DMZ,outside) www.retourmobiel.nl-74.110.134.105 TPNL03S008-172.16.48.82 netmask 255.255.255.255 
static (DMZ,outside) www.TPcommunications.com.nl-74.110.134.107 TPNL03S008-172.16.48.87 netmask 255.255.255.255 
static (DMZ,outside) www.TP-communications.nl-74.110.134.108 TPNL03S008-172.16.48.88 netmask 255.255.255.255 
static (DMZ,outside) www.TP-china-mobile.com-74.110.134.109 TPNL03S008-172.16.48.92 netmask 255.255.255.255 
static (DMZ,outside) www.TP-apac-mobile.com-74.110.134.110 TPNL03S008-172.16.48.93 netmask 255.255.255.255 
static (DMZ,outside) www.TP-spm.nl-74.110.134.111 TPNL03S008-172.16.48.94 netmask 255.255.255.255 
static (DMZ,outside) www.TP-communications.com-74.110.134.112 TPNL03S013-172.16.48.102 netmask 255.255.255.255 dns 
static (DMZ,outside) ftp.TP-comm.com-74.110.134.74 TPNL03S012-172.16.48.100 netmask 255.255.255.255 
static (DMZ,outside) www.TP-comm.com-78.108.130.96 TPNL03S008-172.16.48.89 netmask 255.255.255.255 
static (DMZ,outside) TEST-74.110.134.113 TPNL03S013-172.16.48.103 netmask 255.255.255.255 
static (DMZ,outside) www.TP-telmodule.nl-74.110.134.114 TPNL03S008-172.16.48.104 netmask 255.255.255.255 
static (DMZ,outside) www.TP-sret.nl-74.110.134.115 TPNL03S008-172.16.48.105 netmask 255.255.255.255 
 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface DMZ
 
route outside 0.0.0.0 0.0.0.0 74.110.134.126 10
route inside 10.0.0.0 255.0.0.0 10.02.48.5 10
 
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

Open in new window

Avatar of Faruk Onder Yerli
Faruk Onder Yerli
Flag of Ukraine image
dmz ip  is
ip address 172.16.48.1 255.255.255.0
but your nonat list is this.
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.32.0 255.255.248.0

you may enter below line
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0
Avatar of urfried
urfried
Flag of Netherlands image

ASKER

mmm...your correct,

I changes config a little....Original it is correct...My mistake....thnx
Avatar of Faruk Onder Yerli
Faruk Onder Yerli
Flag of Ukraine image
please add below access also

access-list DMZ_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 object-group INSIDE-NETWORKS
Avatar of urfried
urfried
Flag of Netherlands image

ASKER

Unfortunately no result.
By the way....i tested last week with packadge tracer, and the request is permited.
Strange....

Avatar of Faruk Onder Yerli
Faruk Onder Yerli
Flag of Ukraine image
i found one more ACL
access-list dmz_access_in extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0

or reverse

access-list dmz_access_in extended permit ip 172.16.48.0 255.255.255.0 object-group INSIDE-NETWORKS
Avatar of urfried
urfried
Flag of Netherlands image

ASKER

Both no result....
Looks like it is tranfered with the dynamic rule OUTSIDE isn't it.
Somewhere it needs the exclusion from going outside...

grrr
Avatar of urfried
urfried
Flag of Netherlands image

ASKER

Folks.....
just to be sure....

The internal DMZ webpage is accessible...
ONLY the website via external DNS (NAT-ed external IP) from inside is the problem....  
Avatar of Faruk Onder Yerli
Faruk Onder Yerli
Flag of Ukraine image
DAP is not effected DMZ rules. It is for VPN ad SSL configuration.
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html

It is nice that you start to reach DMZ :)

ASA/PIX cannot make nat if detination ip is on ASA.you can just reach via local IPs.
Avatar of urfried
urfried
Flag of Netherlands image

ASKER

this is clear....
But from what ive understeand is that Asa should notice the perticular (A)host in DNS and reverse it to DMZ address.

In old environment the PIX did his job.....
External company created new config for these ASA's.....

I checked DNS (lookup) on the static nat rules....without result

Anymore ideas to check own www website from inside network....

Thanx for all the help btw
SOLUTION
Avatar of Faruk Onder Yerli
Faruk Onder Yerli
Flag of Ukraine image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of urfried
urfried
Flag of Netherlands image

ASKER

Looks ok....

I will try this tonight when production is gone.
These are tricky....
Avatar of BobbySams
BobbySams
Any status updates. I am having the same problem accessing my  2 of my 4 DMZ websites via IP address. no problem accessing them via DNS name. but No way with IP addresses.
Avatar of urfried
urfried
Flag of Netherlands image

ASKER

I have been trying a lot since i posted this.
Nothing worked.

I have hired a specialized company who will have a look at it.
I will let you know what our problem was, once it it solved.

grtz
Avatar of urfried
urfried
Flag of Netherlands image

ASKER

Hey gents,

First thing to realise and check if you are having same issue, be sure the DNS request is done THROUGH the firewall....

In my case we found out the internal DNS server allready cashed the wrongly DNS IP, so the Firewall couldn't rewrite the IP.

Unfortunately this didn't solve the problem, you realy have to look into to it.
Once i have the solution i'll let you know...

Grtz
ASKER CERTIFIED SOLUTION
Avatar of urfried
urfried
Flag of Netherlands image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial