Public IP is 64.80.238.209

Private is 192.10.10.16

access-list access_in extended deny tcp any host 66.153.88.141 eq citrix-ica inactive

access-list access_in extended permit tcp any host 64.80.238.209 eq www

access-list access_in extended permit tcp host 12.19.61.34 host 66.153.88.140 eq ssh

access-list access_in extended permit tcp host 65.210.205.254 host 66.153.88.140 eq ssh

access-list access_in extended permit tcp host 65.210.205.209 host 66.153.88.140 eq ssh

access-list access_in extended permit tcp host 66.199.131.184 host 64.80.238.210 eq 9080

access-list access_in extended permit tcp host 66.199.131.187 host 64.80.238.210 eq 9080

access-list access_in extended permit tcp host 66.199.131.189 host 64.80.238.210 eq 9080

access-list access_in extended permit tcp host 66.199.131.134 host 64.80.238.210 eq 9080

access-list access_in extended permit tcp host 64.254.146.163 host 64.80.238.210 eq 9080

access-list access_in extended permit tcp any host 64.80.238.211 eq imap4

access-list access_in extended permit tcp any host 64.80.238.211 eq smtp

access-list access_in extended permit udp any any eq ntp

access-list access_in remark kamcomail - web-based mail unsecured

access-list access_in extended permit tcp any host 64.80.238.211 eq https

access-list access_in remark kamcomail

access-list access_in extended permit tcp any host 64.80.238.211 eq www inactive

access-list access_in extended permit tcp host 216.208.163.66 host 66.153.88.142 eq 3389

access-list access_in extended permit tcp host 70.28.55.129 host 66.153.88.142 eq 3389

access-list access_in extended permit tcp host 99.236.135.59 host 66.153.88.142 eq 3389

access-list access_in extended permit tcp any host 66.153.88.141 eq smtp

access-list 108 extended permit ip 192.10.0.0 255.255.0.0 10.99.99.0 255.255.255.0

access-list 108 extended permit ip 192.10.0.0 255.255.0.0 192.10.90.0 255.255.255.0

access-list 108 extended permit ip 192.10.10.0 255.255.255.0 10.99.99.0 255.255.255.128

access-list kamcovpn_splitTunnelAcl standard permit 192.10.10.0 255.255.255.0

access-list kamcovpn_splitTunnelAcl standard permit 192.10.0.0 255.255.0.0

access-list dmz_in extended permit icmp any any

access-list dmz_in extended deny ip any 192.10.10.0 255.255.255.0

access-list dmz_in extended permit ip any any

access-list wccpserver extended permit ip host 192.10.10.83 any

access-list acl_websense extended deny tcp host 192.10.10.70 any eq https

access-list acl_websense extended deny tcp host 192.10.10.70 any eq www

access-list acl_websense extended deny tcp host WebsenseWEB_C_Interface any eq https

access-list acl_websense extended deny tcp host WebsenseWEB_C_Interface any eq www

access-list acl_websense extended deny tcp host 192.10.10.83 any eq https

access-list acl_websense extended deny tcp host 192.10.10.83 any eq www

access-list acl_websense extended deny tcp host 192.10.10.84 any eq https

access-list acl_websense extended deny tcp host 192.10.10.84 any eq www

access-list acl_websense extended deny tcp host 192.10.10.85 any eq https

access-list acl_websense extended deny tcp host 192.10.10.85 any eq www

access-list acl_websense extended deny tcp any host 64.80.238.209 log

access-list acl_websense extended deny tcp any host 192.10.10.16 log

access-list acl_websense extended permit tcp any any eq www log

access-list acl_websense extended permit tcp any any eq https log

access-list acl_websense extended deny ip any any log

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool kamcopool 10.99.99.10-10.99.99.100

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list 108

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.10.10.59 3389 netmask 255.255.255.255

static (inside,outside) 66.153.88.140 192.10.10.15 netmask 255.255.255.255

static (inside,outside) 64.80.238.210 192.10.10.17 netmask 255.255.255.255

static (inside,outside) 64.80.238.211 192.10.10.24 netmask 255.255.255.255

static (inside,outside) 66.153.88.141 192.10.10.85 netmask 255.255.255.255

static (inside,outside) 64.80.238.209 192.10.10.16 netmask 255.255.255.255

access-group access_in in interface outside

access-group dmz_in in interface dmz

route outside 0.0.0.0 0.0.0.0 66.153.88.137 1

route inside 192.10.11.0 255.255.255.0 192.10.10.254 1

route inside 192.10.20.0 255.255.255.0 192.10.10.254 1

route inside 192.10.30.0 255.255.255.0 192.10.10.254 1

route inside 192.10.40.0 255.255.255.0 192.10.10.254 1

route inside 192.10.41.0 255.255.255.0 192.10.10.254 1

route inside 192.10.50.0 255.255.255.0 192.10.10.254 1

route inside 192.10.51.0 255.255.255.0 192.10.10.254 1

route inside 192.10.60.0 255.255.255.0 192.10.10.254 1

route inside 192.10.61.0 255.255.255.0 192.10.10.254 1

route inside 192.10.70.0 255.255.255.0 192.10.10.254 1

route inside 192.10.80.0 255.255.255.0 192.10.10.254 1

route inside 192.10.81.0 255.255.255.0 192.10.10.254 1

Have you tried by enabing dns doctoring?

static (inside,outside) 64.80.238.209 192.10.10.16 netmask 255.255.255.255 dns

Or no configuration changes done at all on ASA and suddenly stopped working?

Thx

MS

I have not made aby changes and it stopped working.

Should I try DNS doctoring?

Yes (during maintenance window).

Thx

MS

I added that as a Static NAT rule with the DNS

***static (inside,outside) 64.80.238.209 192.10.10.16 netmask 255.255.255.255 dns***

and there was no change.  Still timing out trying to get to the edge.

Thanks for the update. Can you try to clear the existing translation for 192.10.10.16 (clear xlate local 192.168.10.16) and see if that makes any difference? Also, can you access the website by ip (than dns name)?

Thx

MS

So you want me to clear the NAT translation?

*** static (inside,outside) 192.10.10.16  64.80.238.209 netmask 255.255.255.255***

1. This will shut down outside traffic from coming in, which I could do quickly?

In regards to hitting the site internally I can by modifying the local hosts file, unfortunately this would be a nightmare to maintain on hundreds of pc's, and our DNS server is getting its A record from our provider(public IP) which is the correct domain

Hosts file

****192.10.10.16           kamcosupplycorp.com****

Hi Dan,

Not the  static NAT translation rule in ASA but the xlate (do show xlate | include 192.168.10.16) you will find it. Yes, it will disconnect the sessions momentarily but shold reestablish quickly. The only reason I asked you for this was, may be the old translation still holding even after adding the dns doctoring (but not quite sure if you really need to clear xlate when you add 'dns' keyword).

Thx

MS

Did the following and still no luck.

ASA# clear xlate local 192.10.10.16

ASA# show xlate | include 192.10.10.16

Global 64.80.238.209 Local 192.10.10.16

Global 192.10.10.16 Local 64.80.238.209

Well if I do an nslookup internally I resolve to our public IP.  If I go to our DNS server and look for the public IP it is in the Cache.  If I flush the Cache when I go to a browser and browse to our website, it just goes back out to our providers DNS servers and gets the public IP again.  I'll take a closer look at the DNS doctoring document.

Looks like the document is geared for 7.2, and it looks like we are using 6.2.

Following the document it looks similar to our NAT rules section, and just edit the existing rule and check off DNS, previousely I was adding an existing NAT rule, but I tried what the document said and I did not get any results.