URL access on inside

Unanswered Question
Nov 11th, 2007
User Badges:

Hello Community,

I have a ASA5505, simple configuration inside, outside. On the inside I have a DNS, IIS, SQL server. One fixed outside IP from ISP. I can access my websites from the outside but I can't from the inside. I can ping the IIS server on the inside but I can't view my site http://www.alt74.net on the inside. Can you point me in the right direction what needs to be configured. ASA or DNS server? Before the ASA5505 I had a LinksSys small biz firewall and URL access worked inside and outside. Many thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
altziebler Sun, 11/11/2007 - 19:14
User Badges:

This is great! Haven't found this during my own research. Thanks so much! Jurgen

JORGE RODRIGUEZ Sun, 11/11/2007 - 20:19
User Badges:
  • Green, 3000 points or more

You should be all set once you go over the link, if you need help in configuring it let us know.

Rate any helpful post



altziebler Tue, 11/13/2007 - 08:48
User Badges:

i tried to follow the settings. But now I see in the Syslog Messages: Deny IP spoof from ( to on interface inside


altziebler Tue, 11/13/2007 - 12:45
User Badges:

Many thanks for your help!

Result of the command: "show running-config"

: Saved


ASA Version 8.0(3)


hostname ciscoasa

domain-name default.domain.invalid

enable password ry.XY4BFXaMwWBtg encrypted

no names

name SERVER1 description DNS

name SERVER2 description IIS

name SERVER3 description SQL

name AppleAirport description WiFi

name SERVER2-2 description Ethernet 100


interface Vlan1

description ALT74 LAN

nameif inside

security-level 100

ip address


interface Vlan2

description COX

nameif outside

security-level 0

ip address XX.XXX.XX.XXX


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any host eq www

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host eq ftp

access-list outside_access_in extended permit tcp any host eq 1433

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400


global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 dns

static (inside,outside) tcp interface www www netmask

static (inside,outside) tcp interface 1433 1433 netmask

static (inside,outside) tcp interface ftp ftp netmask

static (inside,inside) XX.XXX.XX.XXX netmask dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside XX.XXX.XX.XXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns interface inside

dhcpd domain alt74.local interface inside

dhcpd enable inside


dhcpd dns interface outside


threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context


: end

JORGE RODRIGUEZ Tue, 11/13/2007 - 13:46
User Badges:
  • Green, 3000 points or more

Config is fine, firts time I've seen this message in dns doctoring. I believe by adding bellow statement in your config it will allow traffic flow between interfaces without acl.

try adding:

same-security-traffic permit inter-interface

altziebler Tue, 11/13/2007 - 13:51
User Badges:

Is there anything special I need to do in the DNS server (Win Server 2003). I had a LinkSys small biz firewall before and it worked fine inside, outside.


altziebler Sun, 11/18/2007 - 13:34
User Badges:

Hello Commmunity,

I am still struggeling with accessing my URL on the inside. URL access from outside works great but from the inside ASA5505 tells me IP spoof, access denied. Any help/tip would be great. Thanks, Jurgen


This Discussion