Cannot reach website inside our domain with 0 restrictions, but can from outside our network. Please help!

Sorry to ask the obvious but....

Did it ever work? If so, when did it stop and what changed between now and the last time it worked? Is there a piece of gear turned off, unplugged or dead?

You need DNS doctoring.

At the end of the static nat statement for that server, add the keyword "dns".

For doctoring to work, you'll also need to route all DNS queries and replies through the ASA so they can be translated. Additionally, DNS inspection must be turned on on the ASA. You could also implement u-turning which tells the ASA to doctor both the source and destination IP.

More detail here: https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it

This only is a concern when internal DNS is configured to hand  out a public IP instead of the internal.

I've yet to see that happen.

No this never worked. Stepped on this landmine.  DNS seems to be fine from all devices including the ASA so would DNS inspection/u-turning assist with this still? It seems to get out but not return.

What is your DNS server while inside the network?

Is it external?
   if yes, add the "dns" keyword to the end of the static statement and you're done
   if no, then it's internal
     does your internal server forward queries outside for the domain?
          if yes, then you're done after you add the "dns" keyword
          if no, does your server give you a public IP?
              if no, you're done (and you should be able to reach it)
              if yes, change it to the inside IP

@Jan
Interesting. I was under the impression that you needed to pass all your DNS queries through the ASA for doctoring to work regardless of where DNS lookups were taking place. I learned something today. Thanks, Jan!

@admitech
Yes, either method should fix your issue.

Wouldn't let me edit the last comment. I mentioned U-turning to our Sr. Net Admin and he looked at me like I had 3 heads....

Jan: let me run through that list. Great if this then this...lol! Thanks!

Ha! You should let your senior admin fix it then. Be sure to save a copy of your config first!

Or hire Jan. She's available for gigs.

Well, the flow chart says that if the packets hit the firewall to go to an outside address and that address is a static NAT with "dns", the ASA should swap the IP in the packets and send it back.

Lol,  unfortunately I arrived at "if no, you're done (and you should be able to reach it)" and cannot!

Jan/Gilnov:

Want to paste the config. You guys can probably figure it out in two seconds?!

sh run nat

copy and paste the nat entry for the web server into notepad
copy and paste it again

on the first line, you will insert "no" at the beginning.

on the second line, you will add "dns" to the end.

copy both lines and paste in configuration mode in to the ASA (no quotes).  save it.

to remove a static entry that is in use will require that you clear the translation first.  my recommendation is to do this during a non-peak period -- like before the office opens or whenever traffic to that server is low.

send it via EE message, please don't post it here.

If that server is hosted internally (and it sounds like it is), why not use a split DNS configuration to resolve sftp.bpas.com to the server's internal address? Then you don't have to modify the router/firewall config at all, as that traffic will stay inside your network.

The simplest way to do this will be to create a forward lookup zone named sftp.bpas.com in your internal DNS, then create a blank host record in that zone. Give that record the server's internal IP address. Flush the resolver cache on a client (ipconfig /flushdns) and test from that client.

its in an external webpage outside of our organization and not associated with us. Sorry if I confused!

We'll, that does shed a different light. Can we assume all PC's inside your LAN have the same problem (or at least all PC's you checked)? What about your domain controller (assuming it's also your internal DNS server)? Where are your PC's getting their EXTERNAL DNS queries served (e.g. do they just check with the DC and the DC handles external lookups or do all machines go directly to an external DNS provider, including the DC/DNS server)?

Also, you said tracert dies but where does the trace stop? Can you tell if it ever leaves your carrier's network?

It's does not appear to be with the ASA and it's not DNS.

Gilnov:

Yes you are right. None of the PCs on the network can get there. They check with the DC/DNS. DNS appears fine all around. Tracert dies after it leaves the carrier's network it seems.....

I haven't see your config. Is port 22 open on both the internal and external interfaces? Does the remote site use different/non-standard ports for SSH/SFTP? If so, are those ports open on your ASA?

Also, can you confirm for certain that people inside can NOT access the site AT THE SAME TIME that people outside your LAN can access the site? That is to say, have you ruled out the possibility that the site might actually be temporarily unavailable?

It's not an ASA issue.  This is an issue reaching an https _remote_ site.

@Jan
It would seem to be something on the OP's network though since the site is accessible from other networks, wouldn't you agree?

I cannot rule that out yet.

Yep as Jan said this is not a site to site. The site we are trying to reach is an investment site that HR from a lot of companies do business with but not apart of our network, etc. It seems to be an HTTPs issue but cannot figure out why. Last place it dies here (on a tracert)
 106 ms    90 ms    27 ms  ae-1-4.bar2.buffalo1.level3.net [4.69.140.241]

The purpose of the traceroute is to see if you made it off-net to rule out an internal problem.   You do and that the traceroute dies may only mean that it is blocked in the path.

Yes. True, just wanted to show last hop is outside of us and seemingly our carrier....Nevermind that I included that lol.

@admitech
So all we know at this point is your packets are getting out but responses are not coming back from that site.
Are other ssh/sftp sites affected?
Have you tried connecting from inside your network with PuTTY SFTP or similar client (i.e. a client other than a web browser)?

@gilnov
Exactly.
No other sites are affected but this ONE. That we know of; apparently this is a year long issue that I stepped on but not giving up until this is fixed.
@Jan @gilnov
I tried Putty with Jan. Jan what was your conclusion on this other than obviously we proved:
Not the ASA, not DNS?

By the way guys I totally appreciate you sticking with me on this! I've got a 10am meeting with the "big dogs" so well see what suggestions we get BUT considering this has been known not working for a year I am not expecting much! And of course now its urgent! You know how that works! Good ole IT!

DNS works and he getting the correct IP address.

Packet-tracer on the ASA shows the flows permitted.

Traceroute shows the packets making it several hops -- way off net before they time out.

There has to be a filter in routing toward the destination or at the destination server that needs to be updated is my best guess.

Have you contacted your ISP(s) to see if they can offer any insight into why the route is being blocked?

I was thinking maybe the ISP could peer deeper into the connection attempt from their perspective and shed additional light on what happens when it leaves their edge where it times out.

True enough but they might be able to see the reason the connection is timing out. Probably not but it can't hurt to ask. We're still trying to find the edges of the problem.

@Gilnov and @Jan

I love you both. Seriously owe you guys whatever you drink. A lot of work to find out that after contacting bpas for the 20th time I found the right guy who says "OH, HEY! you are blocked! Too many logon failures! They removed my ip and "TA DA"!!! It works!
I'm going to go out on a limb and say the Time Warner IP is on the block list too!

Thanks so much for going ABOVE AND WAY BEYOND. Jan you better keep in touch I owe you for your efforts!

Happy to be of assistance. Write down the person or at least the department you spoke with at BPAS. If you were blocked for too many failed logons once, it's very likely you'll end up being blocked again.