We help IT Professionals succeed at work.

Cannot access website from behind same Firewall as the Web Server

skip59 asked
I have an ASA 5505 with two public IP’s, one for the outside interface of the router and the other is assigned to the Static NAT rule for my Web Server.  I cannot access any websites hosted on my Web Server using their URL from a PC connected to the Internet through the ASA 5505. I have two VLans, one for the inside interface and one for the outside interface.  I am a router/firewall novice and have set this up using ADSM with the help of the Wizards and some assistance from members here.
Watch Question

troubleshoot connectivity first: can you ping the IP of the webserver, do the logs on the webserver show any hits from your internal network?


Current Firewall setting do not pass ping requests.  I could setup a rule to let it reply if necessary. When I try to connect from a browser on the internal network I do not see any traffic from a source IP of my outside interface or my internal IP in the logs.   I did not mention  in my original post that all  websites hosted on this server are working fine when connected to from a device outside my firewall, ie I can connect to a site on my phone through cell internet access.
set up a policy to log access when going from internal vlan to the site/IP.  This may be of use to you: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_logging.html

The site is up and your external > internal is working, or you wouldn't get access from the outside. You'll probably want to setup that ping policy just for your own internal monitoring, but even if that's not something you want permanently, I think it would help you troubleshoot your internal access issue.
Your problem is probably related to DNS. If DNS returns the public ip address of the webserver, the firewall won't allow an internal client to access another internal webserver using the public address.
If you have made a full 1-to-1 NAT of the public ip to the webserver, you just need to add the "dns" keyword after the NAT statement (called DNS rewrite in ASDM).
This manipulates the DNS response, and returns the webserver's internal ip to the client instead.
If this is not a possibility, you can do split DNS using your internal DNS server.
More here: http://windowsitpro.com/networking/split-brain-dns


Thank you very much.  That was it.  All I had to do was edit the Static NAT Rule and select the “Translate the DNS replies that match the translation rule” box under Connection Settings.  I have included a screenshot of the ADSM Static NAT Rule screen for other ADSM Novices like me out there.