Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cannot access our website from the LAN

We just added a Cisco ASA5510 to protect our network. Every thing works except no one in the LAN can access our imail we site. The web site points to one of our public IP, x.x.x.35 (we can access the web site from outside and we just can?t do the same inside after adding the ASA). Is it possible the inside computers can access our web site using the public IP address? If not, my another option is to setup a DNS record pointing to the web site, for example 192.168.0.213 = www.chicagotech.net (our network domain name is chicagotech.local)?. I can?t figure out how to do that. Any suggestions?

Here is the Cisco ASA configuration.

ASA Version 7.0(5)

!

hostname ciscoasa

domain-name default.domain.invalid

names

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.38 255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.0.250 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

ftp mode passive

access-list out_to_inside extended permit tcp any host x.x.x.34 eq www

access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8080

access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8383

access-list out_to_inside extended permit tcp any host x.x.x.35 eq www

access-list out_to_inside extended permit tcp any host x.x.x.34 eq smtp

access-list out_to_inside extended permit tcp any host x.x.x.34 eq pop3

access-list out_to_inside extended permit tcp any host x.x.x.34 eq 3389

access-list out_to_inside extended permit tcp any host x.x.x.34 eq 13001

access-list out_to_inside extended permit tcp any host x.x.x.35 eq 13001

access-list out_to_inside extended permit tcp any host x.x.x.35 eq 3389

access-list out_to_inside extended permit tcp any host x.x.x.35 eq pop3

access-list out_to_inside extended permit tcp any host x.x.x.35 eq smtp

access-list out_to_inside extended permit tcp any host x.x.x.35 eq 8383

pager lines 24

logging asdm informational

mtu management 1500

mtu Inside 1500

mtu Outside 1500

asdm image disk0:/asdm505.bin

no asdm history enable

arp timeout 14400

global (Outside) 10 interface

nat (management) 10 0.0.0.0 0.0.0.0

nat (Inside) 10 0.0.0.0 0.0.0.0

static (Inside,Outside) x.x.x.34 192.168.0.213 netmask 255.255.255.255

static (Inside,Outside) x.x.x.35 192.168.0.112 netmask 255.255.255.255

access-group out_to_inside in interface Outside

route Outside 0.0.0.0 0.0.0.0 x.x.x.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cannot access our website from the LAN

If the inside users are trying to connect to the public IP address then this won't work. How you fix it depends on where your DNS server is.

If the inside users use a DNS server on the outside interface then you can have the ASA change the DNS reply as it passes back through the ASA. Just add the "dns" option onto the end of your static commands so they look like the following:

static (Inside,Outside) x.x.x.34 192.168.0.213 netmask 255.255.255.255 dns

static (Inside,Outside) x.x.x.35 192.168.0.112 netmask 255.255.255.255 dns

If the inside users use a DNS server on the inside, but that server replies with the public IP address, then you are going to have to change that inside A record so that it points to your local IP address, the 192.168.0.21x address. No other way around it I'm afraid.

2 REPLIES
Cisco Employee

Re: Cannot access our website from the LAN

If the inside users are trying to connect to the public IP address then this won't work. How you fix it depends on where your DNS server is.

If the inside users use a DNS server on the outside interface then you can have the ASA change the DNS reply as it passes back through the ASA. Just add the "dns" option onto the end of your static commands so they look like the following:

static (Inside,Outside) x.x.x.34 192.168.0.213 netmask 255.255.255.255 dns

static (Inside,Outside) x.x.x.35 192.168.0.112 netmask 255.255.255.255 dns

If the inside users use a DNS server on the inside, but that server replies with the public IP address, then you are going to have to change that inside A record so that it points to your local IP address, the 192.168.0.21x address. No other way around it I'm afraid.

Community Member

Re: Cannot access our website from the LAN

Thank you.

367
Views
0
Helpful
2
Replies
CreatePlease to create content