urfried
asked on
Inside netw cannot access own website in DMZ zone (Cisco ASA)
Hi gents,
Here a headbreaking problem i am not able to solve.
It's quite a known problem with PIX and ASA's but unfortunately i ain't seeing it anymore....
Who is ?!?
Thanx a lot
Here a headbreaking problem i am not able to solve.
It's quite a known problem with PIX and ASA's but unfortunately i ain't seeing it anymore....
Who is ?!?
Thanx a lot
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.01.05 13:34:56 =~=~=~=~=~=~=~=~=~=~=~=
ASA Version 8.0(2)
!
hostname TPNL03FW01
domain ***
names
dns-guard
!
interface Ethernet0/0
description internet side
nameif outside
security-level 0
ip address 74.110.134.66 255.255.255.192
!
interface Ethernet0/1
description LAN TP
nameif inside
security-level 100
ip address 10.02.48.7 255.255.248.0
!
interface Ethernet0/2
description DMZ
speed 100
duplex full
nameif DMZ
security-level 50
ip address 172.16.48.1 255.255.255.0
!
interface Management0/0
description Management interface
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa802-k8.bin
boot system disk0:/asa712-k8.bin
ftp mode passive
clock timezone Ams 1
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 217.21.244.66
name-server 217.21.244.7
domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DNS_SERVERS_INSIDE
network-object TPNL03S002-10.02.48.72 255.255.255.255
network-object TPNL03S001-10.02.48.71 255.255.255.255
object-group network WEBSITES
description TP websites
network-object host www.TP-comm.com-78.108.130.96
network-object host www.monteurnet.nl-74.110.134.97
network-object host www.ontvangstnet.nl-74.110.134.98
network-object host www.repairnet.nl-74.110.134.99
network-object host www.retournet.nl-74.110.134.100
network-object host www.collexion.nl-74.110.134.101
network-object host www.e-repair.nl-74.110.134.102
network-object host www.TP-communications.net-74.110.134.103
network-object host www.TP-reparatieservice-s.nl-74.110.134.104
network-object host www.retourmobiel.nl-74.110.134.105
network-object host www.TPservice.nl-74.110.134.106
network-object host www.TPcommunications.com.nl-74.110.134.107
network-object host www.TP-communications.nl-74.110.134.108
network-object host www.TP-china-mobile.com-74.110.134.109
network-object host www.TP-apac-mobile.com-74.110.134.110
network-object host www.TP-spm.nl-74.110.134.111
network-object host www.TP-communications.com-74.110.134.112
network-object host TEST-74.110.134.113
network-object host ftp.TP-comm.com-74.110.134.74
network-object host NL03MAIL-74.110.134.70
network-object host www.TP-telmodule.nl-74.110.134.114
network-object host www.TP-sret.nl-74.110.134.115
object-group network INSIDE-NETWORKS
description 10.02.48.0/21
network-object 10.02.48.0 255.255.248.0
object-group network WEBSITES_REAL
description TP websites
network-object host TPNL03S012-172.16.48.100
network-object host TPNL03S013-172.16.48.101
network-object host TPNL03S013-172.16.48.102
network-object host TPNL03S013-172.16.48.103
network-object host TPNL03S008-172.16.48.104
network-object host TPNL03S008-172.16.48.66
network-object host TPNL03S008-172.16.48.67
network-object host TPNL03S008-172.16.48.68
network-object host TPNL03S008-172.16.48.69
network-object host TPNL03S008-172.16.48.70
network-object host TPNL03S008-172.16.48.71
network-object host TPNL03S008-172.16.48.72
network-object host TPNL03S008-172.16.48.73
network-object host TPNL03S008-172.16.48.74
network-object host TPNL03S008-172.16.48.75
network-object host TPNL03S008-172.16.48.76
network-object host TPNL03S008-172.16.48.77
network-object host TPNL03S008-172.16.48.78
network-object host TPNL03S008-172.16.48.79
network-object host TPNL03S008-172.16.48.80
network-object host TPNL03S008-172.16.48.81
network-object host TPNL03S008-172.16.48.82
network-object host TPNL03S008-172.16.48.83
network-object host TPNL03S008-172.16.48.84
network-object host TPNL03S008-172.16.48.85
network-object host TPNL03S008-172.16.48.86
network-object host TPNL03S008-172.16.48.87
network-object host TPNL03S008-172.16.48.88
network-object host TPNL03S008-172.16.48.89
network-object host TPNL03S008-172.16.48.90
network-object host TPNL03S008-172.16.48.91
network-object host TPNL03S008-172.16.48.92
network-object host TPNL03S008-172.16.48.93
network-object host TPNL03S008-172.16.48.94
network-object host TPNL03S004-172.16.48.95
network-object host TPNL03S008-172.16.48.96
network-object host TPNL03S008-172.16.48.97
network-object host TPNL03S008-172.16.48.98
network-object host TPNL03S008-172.16.48.99
network-object host TPNL03S008-172.16.48.105
object-group network TP-CZ-NETWORKS
description TP CZ networks
network-object 10.02.60.0 255.255.252.0
object-group service WEBSERVICE_TCP tcp
description web server access
port-object eq www
port-object eq https
object-group service FTPSERVICE_TCP tcp
description ftp server ports
port-object eq ftp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list dmz_access_in extended permit udp host TPNL03S008-172.16.48.66 object-group DNS_SERVERS_INSIDE eq domain
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group DNS_SERVERS_INSIDE eq domain
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.104 host 10.02.48.73 object-group WEBSERVICE_TCP
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group EXTERNAL-CUSTOMERS eq ftp
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group EXTERNAL-CUSTOMERS eq www
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 object-group EXTERNAL-CUSTOMERS eq https
access-list dmz_access_in extended permit tcp host TPNL03S008-172.16.48.66 host TPNL03S007-10.02.48.79 eq www
access-list dmz_access_in extended permit icmp host TPNL03S008-172.16.48.66 any echo-reply
access-list dmz_access_in extended permit icmp 172.16.32.0 255.255.248.0 any echo-reply
access-list dmz_access_in extended permit icmp host TPNL03S013-172.16.48.101 any echo-reply
access-list dmz_access_in extended permit udp host TPNL03S013-172.16.48.101 object-group DNS_SERVERS_INSIDE eq domain
access-list dmz_access_in extended permit tcp host TPNL03S013-172.16.48.101 object-group DNS_SERVERS_INSIDE eq domain
access-list outside_access_in extended permit tcp any object-group WEBSITES object-group WEBSERVICE_TCP
access-list outside_access_in extended permit tcp any host www.TP-communications.com-74.110.134.112 object-group FTPSERVICE_TCP
access-list NO-NAT remark Disable NAT for traffic from inside to DMZ and VPN clients
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.32.0 255.255.248.0
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group VPN-CLIENTS
access-list NO-NAT extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list NO-NAT extended permit ip any VPN-CLIENT-10.02.53.32 255.255.255.224
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS object-group TP-CZ-NETWORKS
access-list NO-NAT extended permit ip object-group Int-NETWORKS 172.16.32.0 255.255.248.0
access-list NO-NAT extended permit ip object-group SPS-ACL 172.19.250.248 255.255.255.248
access-list NO-NAT extended permit ip object-group KPN-ACL 145.7.196.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip object-group WEBSITES_REAL host 161.89.56.220
access-list DMZ_nat0_outbound extended permit ip any 192.168.0.0 255.255.0.0
access-list DMZ_nat0_outbound extended permit ip any VPN-CLIENT-10.02.53.32 255.255.255.224
access-list DMZ_nat0_outbound extended permit ip 10.02.48.0 255.255.248.0 host 161.89.56.220
access-list acl_outside extended permit tcp any host NL03MAIL-74.110.134.70 eq www
access-list acl_outside extended permit tcp any host NL03MAIL-74.110.134.70 eq https
pager lines 24
logging enable
logging timestamp
logging buffer-size 75000
logging monitor notifications
logging buffered debugging
logging trap notifications
logging history emergencies
logging asdm notifications
logging ftp-bufferwrap
logging ftp-server TPNL03S013-172.16.48.102 . urfried ****
no logging message 106014
no logging message 106006
no logging message 106001
no logging message 313001
no logging message 106023
no logging message 106020
no logging message 710003
no logging message 304001
mtu outside 3000
mtu inside 1500
mtu DMZ 1500
mtu DMZ-VPN 1500
mtu management 1500
ip local pool VPNClient VPN-CLIENT-10.02.53.32-10.02.53.63 mask 255.255.255.224
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip verify reverse-path interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 74.110.134.90
global (outside) 2 74.110.134.91
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.02.48.0 255.255.248.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (inside,outside) NL003MAIL-74.110.134.70 TPNL03M073-10.02.48.91 netmask 255.255.255.255
static (DMZ,outside) www.monteurnet.nl-74.110.134.97 TPNL03S008-172.16.48.67 netmask 255.255.255.255
static (DMZ,outside) www.ontvangstnet.nl-74.110.134.98 TPNL03S008-172.16.48.68 netmask 255.255.255.255
static (DMZ,outside) www.repairnet.nl-74.110.134.99 TPNL03S008-172.16.48.69 netmask 255.255.255.255
static (DMZ,outside) www.retournet.nl-74.110.134.100 TPNL03S008-172.16.48.70 netmask 255.255.255.255
static (DMZ,outside) www.collexion.nl-74.110.134.101 TPNL03S008-172.16.48.71 netmask 255.255.255.255
static (DMZ,outside) www.e-repair.nl-74.110.134.102 TPNL03S008-172.16.48.72 netmask 255.255.255.255 dns
static (DMZ,outside) www.TP-communications.net-74.110.134.103 TPNL03S008-172.16.48.73 netmask 255.255.255.255
static (DMZ,outside) www.TP-reparatieservice-s.nl-74.110.134.104 TPNL03S008-172.16.48.74 netmask 255.255.255.255
static (DMZ,outside) www.TPservice.nl-74.110.134.106 TPNL03S008-172.16.48.84 netmask 255.255.255.255
static (DMZ,outside) www.retourmobiel.nl-74.110.134.105 TPNL03S008-172.16.48.82 netmask 255.255.255.255
static (DMZ,outside) www.TPcommunications.com.nl-74.110.134.107 TPNL03S008-172.16.48.87 netmask 255.255.255.255
static (DMZ,outside) www.TP-communications.nl-74.110.134.108 TPNL03S008-172.16.48.88 netmask 255.255.255.255
static (DMZ,outside) www.TP-china-mobile.com-74.110.134.109 TPNL03S008-172.16.48.92 netmask 255.255.255.255
static (DMZ,outside) www.TP-apac-mobile.com-74.110.134.110 TPNL03S008-172.16.48.93 netmask 255.255.255.255
static (DMZ,outside) www.TP-spm.nl-74.110.134.111 TPNL03S008-172.16.48.94 netmask 255.255.255.255
static (DMZ,outside) www.TP-communications.com-74.110.134.112 TPNL03S013-172.16.48.102 netmask 255.255.255.255 dns
static (DMZ,outside) ftp.TP-comm.com-74.110.134.74 TPNL03S012-172.16.48.100 netmask 255.255.255.255
static (DMZ,outside) www.TP-comm.com-78.108.130.96 TPNL03S008-172.16.48.89 netmask 255.255.255.255
static (DMZ,outside) TEST-74.110.134.113 TPNL03S013-172.16.48.103 netmask 255.255.255.255
static (DMZ,outside) www.TP-telmodule.nl-74.110.134.114 TPNL03S008-172.16.48.104 netmask 255.255.255.255
static (DMZ,outside) www.TP-sret.nl-74.110.134.115 TPNL03S008-172.16.48.105 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 74.110.134.126 10
route inside 10.0.0.0 255.0.0.0 10.02.48.5 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
ASKER
mmm...your correct,
I changes config a little....Original it is correct...My mistake....thnx
I changes config a little....Original it is correct...My mistake....thnx
please add below access also
access-list DMZ_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 object-group INSIDE-NETWORKS
access-list DMZ_nat0_outbound extended permit ip 172.16.48.0 255.255.255.0 object-group INSIDE-NETWORKS
ASKER
Unfortunately no result.
By the way....i tested last week with packadge tracer, and the request is permited.
Strange....
By the way....i tested last week with packadge tracer, and the request is permited.
Strange....
i found one more ACL
access-list dmz_access_in extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0
or reverse
access-list dmz_access_in extended permit ip 172.16.48.0 255.255.255.0 object-group INSIDE-NETWORKS
access-list dmz_access_in extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0
or reverse
access-list dmz_access_in extended permit ip 172.16.48.0 255.255.255.0 object-group INSIDE-NETWORKS
ASKER
Both no result....
Looks like it is tranfered with the dynamic rule OUTSIDE isn't it.
Somewhere it needs the exclusion from going outside...
grrr
Looks like it is tranfered with the dynamic rule OUTSIDE isn't it.
Somewhere it needs the exclusion from going outside...
grrr
ASKER
Folks.....
just to be sure....
The internal DMZ webpage is accessible...
ONLY the website via external DNS (NAT-ed external IP) from inside is the problem....
just to be sure....
The internal DMZ webpage is accessible...
ONLY the website via external DNS (NAT-ed external IP) from inside is the problem....
DAP is not effected DMZ rules. It is for VPN ad SSL configuration.
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html
It is nice that you start to reach DMZ :)
ASA/PIX cannot make nat if detination ip is on ASA.you can just reach via local IPs.
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html
It is nice that you start to reach DMZ :)
ASA/PIX cannot make nat if detination ip is on ASA.you can just reach via local IPs.
ASKER
this is clear....
But from what ive understeand is that Asa should notice the perticular (A)host in DNS and reverse it to DMZ address.
In old environment the PIX did his job.....
External company created new config for these ASA's.....
I checked DNS (lookup) on the static nat rules....without result
Anymore ideas to check own www website from inside network....
Thanx for all the help btw
But from what ive understeand is that Asa should notice the perticular (A)host in DNS and reverse it to DMZ address.
In old environment the PIX did his job.....
External company created new config for these ASA's.....
I checked DNS (lookup) on the static nat rules....without result
Anymore ideas to check own www website from inside network....
Thanx for all the help btw
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looks ok....
I will try this tonight when production is gone.
These are tricky....
I will try this tonight when production is gone.
These are tricky....
Any status updates. I am having the same problem accessing my 2 of my 4 DMZ websites via IP address. no problem accessing them via DNS name. but No way with IP addresses.
ASKER
I have been trying a lot since i posted this.
Nothing worked.
I have hired a specialized company who will have a look at it.
I will let you know what our problem was, once it it solved.
grtz
Nothing worked.
I have hired a specialized company who will have a look at it.
I will let you know what our problem was, once it it solved.
grtz
ASKER
Hey gents,
First thing to realise and check if you are having same issue, be sure the DNS request is done THROUGH the firewall....
In my case we found out the internal DNS server allready cashed the wrongly DNS IP, so the Firewall couldn't rewrite the IP.
Unfortunately this didn't solve the problem, you realy have to look into to it.
Once i have the solution i'll let you know...
Grtz
First thing to realise and check if you are having same issue, be sure the DNS request is done THROUGH the firewall....
In my case we found out the internal DNS server allready cashed the wrongly DNS IP, so the Firewall couldn't rewrite the IP.
Unfortunately this didn't solve the problem, you realy have to look into to it.
Once i have the solution i'll let you know...
Grtz
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ip address 172.16.48.1 255.255.255.0
but your nonat list is this.
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.32.0 255.255.248.0
you may enter below line
access-list NO-NAT extended permit ip object-group INSIDE-NETWORKS 172.16.48.0 255.255.255.0