Hello everybody,

I have a Cisco ASA 5510 device with very simple configuration. There are two interfaces outside and inside. I've configured dynamic NAT, and a bunch of static NAT rules for some services running on the inside network.
The http server on the outside interface is accessible from the internet, but not from the inside network. I can access it only on the inside address.
I can't ping also the outside interface address from any host on the inside network.
here's the rule:
access-list outside_access_in extended permit tcp any host 78.90.177.133 eq www (78.90.177.133 being my outside interface address)
also there is a rule to permit traffic to any less secure network. (inside is 100, outside is 0)

I would highly appreciate if somebody gives me an idea why would that be, cause I'm complete noob in the networking.

Thanks

The ASA/Pix by design will not let you ping an interface that isnt facing you.(Not sure if there is a workaround for this but in reality I can't figure out why you would want this behavior anyway - I think the management-interface command will make this work, may want to look it up) In the real world users should not be pinging your firewall at all. If anything let them ping through the device (inside to internet etc). You would need to inspect icmp or put an entry in you ACL coming outside to inside to allow the echo replies back in.

Also ACL's for icmp traffic applied to interfaces do not affect icmp traffic terminating on the ASA itself. For that you use the icmp command.

The ICMP ping is not the problem. Actually, there is no DNS server on the inside network. When users from the inside try to reach some service by the domain name, the DNS servers of the IPS provider point to the outside interface address of the ASA. And it isn't reachable. However, it is perfectly available from outside the network. The port 80 for example. You can reach it from the internet, but not from the inside network. If i put an entry in the hosts file on each and every machine it will work, but there has to be a way to configure the ASA to let certain protocols on the outside interface to be permitted.

You need to perform a dns rewrite to reach an inside host with a public resolved ip address.

Just add the keyword "dns" to the static nat rule, the ASA will translate the public ip to its private counterpart.

Hello again, either I'm stupid, or these firewalls just don't make sense.

There is a web server on the internal network, which can be perfectly accessed from outside because of the static NAT rule. But when trying to reach it from the inside, it can't be accessed. I've tried to remove the implicit rule, that stops the traffic from the inside network to reach the outside interface, but I can't remove it. What should I do, please help. No IP traffic is allowed from inside network to reach outside interface and from there to NAT again to inside web server. People in the office just can't write internal IP addresses in the web browser address bar, and the DNS points to the outside interface IP address.

Hmmm... off the top of my head, how about entering same-security-traffic permit intra-interface on the inside interface?

Extart already gave you a solution for your problem.

Here's a link related to DNS rewrite.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#problem

It's not a DNS issue, cause no IP traffic is allowed from inside network from inside to access inside via outside NAT. The scenario is the following:
Inside host sends packet to outside interface, which is NAT-ed back to the inside host.

I've added the rule that permits inside network to the outside interface, but still no luck.

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 78.90.177.133 eq www

when I "packet trace" through the ASDM it says packet drop by the implicit rule (the highlighted one on the picture below)

I have no idea why would that be.

Due to the fact of how cisco ASA works you cant come from the inside interface and access the outside interface ie 78.90.177.133.
If you apply the DNS rewrite, the ASA will change the dns replys for the lookups your internal hosts make to reflect the internal IP of your www server.
The hosts will den directly access the www server on its 192.168.1.x/24 address and not need to go through the ASA.

That should work, I've already done it as Exstart suggested earlier, but it doesn't somehow.

here's the line:

static (inside,outside) tcp interface www 192.168.1.4 www netmask 255.255.255.255 dns

what could go wrong?

You might want to read the entire document i linked earlier.
But anyways, dns doctoring requires dns inspection. Are you inspecting dns traffic?

I'm not sure if the fact that your using PAT on the outside interface ip might interfere somehow.

As an alternative you could try allowing hairpinning

same-security-traffic permit intra-interface