Hi, 

first of all thank you for your answer.

I have tried your suggestion.

But now I have the following error:

Drop-reason: (no-adjacency) No valid adjacency

the complete answer is as follows:

Result of the command: "packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.12 using egress ifc  inside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.12 using egress ifc  inside

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.12 using egress ifc  inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
a

while the new configuration is this:

Result of the command: "sh run"

: Saved

: 
: Serial Number: JAD23491DFL
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2) 
!
hostname ciscoasa
enable password $sha512$5000$YF7WGccVhZL32TZ5JIVyzw==$Ce6xmlZRIG/9w+0h+1LTtg== pbkdf2
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network dmz_in
 host 10.0.0.12
 description dmz_in
object network dmz_out
 host 192.168.1.40
 description dmz_out
object network SERVER
 host 10.0.0.12
access-list outside_access extended permit tcp any4 object dmz_in eq www 
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq https 
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
object network dmz_in
 nat (inside_1,outside) static dmz_out
object network SERVER
 nat (inside_1,outside) static interface
access-group OUT_IN in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.255.255.0 inside_1
http 10.0.0.0 255.255.255.0 inside_2
http 10.0.0.0 255.255.255.0 inside_3
http 10.0.0.0 255.255.255.0 inside_4
http 10.0.0.0 255.255.255.0 inside_5
http 10.0.0.0 255.255.255.0 inside_6
http 10.0.0.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca ....
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.0.0.5-10.0.0.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home reporting anonymous
call-home
 contact-email-addr aferrara.avvisi@gmail.com
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4eb28e5b47bb87948fa7074c886788f1
: end

run the packet tracer command again and display the output.

packet-tracer input outside tcp 8.8.8.8 http 192.168.1.16 https detailed

***192.168.1.16 double check your outside firewall ip address and put next to start(*)

This is the output  at command 

packet-tracer input outside tcp 8.8.8.8 http 192.168.1.16 https detailed

Result of the command: "packet-tracer input outside tcp 8.8.8.8 http 192.168.1.16 https detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.16 using egress ifc  outside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f10ba850210, priority=111, domain=permit, deny=true
	hits=11, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Sorry but I didn't understand what you mean by:

***192.168.1.16 double check your outside firewall ip address and put next to start(*)

Thanks.

Hi,

    Your config is now good, however i see you're getting the public IP address from DHCP, which means that if you don't get the same IP address, you'll end up into issues if the public service is reachable via FQDN (DNS has to be constantly updated with the new record), while if you access it via IP address, if it changes, users would need to be aware. Just speak with your ISP to lease you the same IP address.

    As for the errors, you're getting on the packet tracer:

packet-tracer input outside tcp 8.8.8.8 http 192.168.1.16 https detailed

Drop-reason: (acl-drop) Flow is denied by configured rule

  The above is because, you're packets are coming in on the outside and need to be routed out on the outside, and ASA disallows this by default, and while you could fix it, you should not, unless you have VPN users connecting on the outside interface which need Internet access through the VPN.

Result of the command: "packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed"

Drop-reason: (no-adjacency) No valid adjacency

The above is because ASA failed to resolve through ARP, the MAC address of 10.0.0.12, which means the host is not reachable via layer 2. Most probably you're testing the configuration, without the host being present?

Regards,

Cristian Matei.

Cristian made a good point. but i guess you using this network for testing or this is a production network?

as your outside interface is setup as a dhcp which is not ideal for http/https if you hosting/need access from outside world to reaching your network resources behind firewall. ideally you need to get a public ip address for your outside interface.

now to test these existing configuration. run this command

show ip address | i outside

the result will be like this below

GigabitEthernet1/1 outside 192.168.1.32

and my configuration on outside are like this

!

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute

!

now run packet-tracer

packet-tracer input outside tcp 8.8.8.8 http 192.168.1.32 https detailed

remember in my packet tracer i get ip address from dhcp server outside interface ip 192.168.1.32 so you have to match what you noted in your configuration. as your configuration are in right order it will work.

Sharaz is right I am using a test network and I am not in production.

Now I have put a static IP (192.168.1.27) to the outside interface.

The situation of my test network is now as follows:

o

I ran the command

show ip address | i outside

and I have:

Result of the command: "show ip address | i outside"

GigabitEthernet1/1       outside                192.168.1.27    255.255.255.0   CONFIG
GigabitEthernet1/1       outside                192.168.1.27    255.255.255.0   CONFIG

the configuration on outside is:

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.1.27 255.255.255.0 
!

and 

packet-tracer input outside tcp 8.8.8.8 http 192.168.1.27 https detailed

give me

Result of the command: "packet-tracer input outside tcp 8.8.8.8 http 192.168.1.27 https detailed"

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac41083290, priority=1, domain=permit, deny=false
	hits=75, user_data=0x0, cs_id=0x0, l3_type=0x8
	src mac=0000.0000.0000, mask=0000.0000.0000
	dst mac=0000.0000.0000, mask=0100.0000.0000
	input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SERVER
 nat (inside_1,outside) static interface
Additional Information:
NAT divert to egress interface inside_1
Untranslate 192.168.1.27/443 to 10.0.0.12/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq https 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4106a2a0, priority=13, domain=permit, deny=false
	hits=0, user_data=0x7fac39ac6500, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=443, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false
	hits=168, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4108b750, priority=0, domain=inspect-ip-options, deny=true
	hits=38, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq https 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4106a2a0, priority=13, domain=permit, deny=false
	hits=1, user_data=0x7fac39ac6500, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=443, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false
	hits=169, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4108b750, priority=0, domain=inspect-ip-options, deny=true
	hits=39, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SERVER
 nat (inside_1,outside) static interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fac413d7720, priority=6, domain=nat-reverse, deny=false
	hits=16, user_data=0x7fac413d62f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=inside_1

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false
	hits=171, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fac41389490, priority=0, domain=inspect-ip-options, deny=true
	hits=19, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=inside, output_ifc=any

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false
	hits=172, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fac410edbc0, priority=0, domain=inspect-ip-options, deny=true
	hits=283, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=inside_1, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 568, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside_1
output-status: up
output-line-status: up
Action: allow

but 

packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed

give me

Result of the command: "packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.12 using egress ifc  inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac413d93d0, priority=13, domain=permit, deny=false
	hits=30, user_data=0x7fac39ac6380, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false
	hits=180, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4108b750, priority=0, domain=inspect-ip-options, deny=true
	hits=40, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac413d93d0, priority=13, domain=permit, deny=false
	hits=31, user_data=0x7fac39ac6380, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false
	hits=181, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fac4108b750, priority=0, domain=inspect-ip-options, deny=true
	hits=41, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network SERVER
 nat (inside_1,outside) static interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fac413d7720, priority=6, domain=nat-reverse, deny=false
	hits=17, user_data=0x7fac413d62f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=inside_1

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I have still:

Flow is denied by configured rule

configuration is working as you wanted them to work.

!

this below command is not going to work. the reason. lets assume you are a packet :) you landed on the outside interface. ASA as a security guard check who you are. now according to our access list if you are a tcp and have any (random) ip address you good to come in but only condition is your source must be https right.  now the ASA engine will check for nat configuration. which we did and told ASA (inside,outside) static interface. now where is the catch. interface mean the asa outside interface ip address.

the below command is never going to work. as told earlier you coming from outside ip with random address but you need to put destination as ip address of outside interface. no the inside ip address.

packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed

now you configuration are working. so hopping you can put the mark as solution.

Hi Salim,

I thank you for your patience and availability, however I have not solved my problem.

In fact I tried to open a website at http://192.168.1.40 but it doesn't open.

I also tried from the public network doing a "port-mapping" on port 80 from the public address to 192.168.1.40, but it doesn't work either.

What am I still missing?

Is the approach wrong? Do I have to follow a different path?

I hope you want to continue helping me because your suggestions have been precious to me.

Thank you.

Do these config please

!
object network WEB_SERVER
host 192.168.1.40
nat (inside_1,outside) static 192.168.1.40
!
access-list OUT_IN extended permit tcp any object WEB_SERVER eq http
access-group OUT_IN in interface outside
!
packet-tracer input outside tcp 8.8.8.8 http 192.168.1.40 http detailed

Hi Salim,

I ran the commands you indicated to me

!
object network WEB_SERVER
host 192.168.1.40
nat (inside_1,outside) static 192.168.1.40
!
access-list OUT_IN extended permit tcp any object WEB_SERVER eq http
access-group OUT_IN in interface outside
!

I then ran:

packet-tracer input outside tcp 8.8.8.8 http 192.168.1.40 http detailed

this is the result:

Result of the command: "packet-tracer input outside tcp 8.8.8.8 http 192.168.1.40 http detailed"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network dmz_in
 nat (inside_1,outside) static dmz_out
Additional Information:
NAT divert to egress interface inside_1
Untranslate 192.168.1.40/80 to 10.0.0.12/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f3e43dd6b20, priority=13, domain=permit, deny=false
	hits=162, user_data=0x7f3e3c4c63c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f3e42e5d310, priority=0, domain=nat-per-session, deny=false
	hits=417, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f3e439d39b0, priority=0, domain=inspect-ip-options, deny=true
	hits=164, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT_IN in interface outside
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f3e43dd6b20, priority=13, domain=permit, deny=false
	hits=163, user_data=0x7f3e3c4c63c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f3e42e5d310, priority=0, domain=nat-per-session, deny=false
	hits=418, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f3e439d39b0, priority=0, domain=inspect-ip-options, deny=true
	hits=165, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SERVER
 nat (inside_1,outside) static interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f3e43dd4e70, priority=6, domain=nat-reverse, deny=false
	hits=82, user_data=0x7f3e43dd3a40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=inside_1

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f3e42e5d310, priority=0, domain=nat-per-session, deny=false
	hits=420, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f3e43d86c20, priority=0, domain=inspect-ip-options, deny=true
	hits=82, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=inside, output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f3e42e5d310, priority=0, domain=nat-per-session, deny=false
	hits=421, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f3e43aa8560, priority=0, domain=inspect-ip-options, deny=true
	hits=679, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=inside_1, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 1396, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside_1
output-status: up
output-line-status: up
Action: allow

However, I still do not open the web page of my webserver on dmz zone.
I have tried both from 192.168.1.16 and from the public IP after making a portmapping on my modem / router.

I refer you my current configuration of the ASA5506-X

Result of the command: "sh run"

: Saved

: 
: Serial Number: JAD23491DFL
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2) 
!
hostname ciscoasa
enable password $sha512$5000$YF7WGccVhZL32TZ5JIVyzw==$Ce6xmlZRIG/9w+0h+1LTtg== pbkdf2
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.1.27 255.255.255.0 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8 outside
 name-server 4.4.4.4 outside
 name-server 192.168.1.1 outside
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network dmz_in
 host 10.0.0.12
 description dmz_in
object network dmz_out
 host 192.168.1.40
 description dmz_out
object network SERVER
 host 10.0.0.12
object network WEB_SERVER
 host 192.168.1.40
access-list outside_access extended permit tcp any4 object dmz_in eq www 
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq https 
access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www 
access-list OUT_IN extended permit tcp any object WEB_SERVER eq www 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
object network dmz_in
 nat (inside_1,outside) static dmz_out
object network SERVER
 nat (inside_1,outside) static interface
object network WEB_SERVER
 nat (inside_1,outside) static 192.168.1.40
access-group OUT_IN in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.255.255.0 inside_1
http 10.0.0.0 255.255.255.0 inside_2
http 10.0.0.0 255.255.255.0 inside_3
http 10.0.0.0 255.255.255.0 inside_4
http 10.0.0.0 255.255.255.0 inside_5
http 10.0.0.0 255.255.255.0 inside_6
http 10.0.0.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca .....
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.0.0.5-10.0.0.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home reporting anonymous
call-home
 contact-email-addr aferrara.avvisi@gmail.com
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a1948c1568a74d350f44c09eab3a1b46
: end

Thanks.

I thought its a test network. now you saying you want to access this
server from internet and you have done the port mapping on your router.

anyways. if you try to access the server from internet than you better
stick with ASA outside interface ip address. as your router did not know
how to forward the packet to 192.168.1.40. therefore. having said that
the configuration we provided with
nat (inside_1,outside) static interface
and
nat (inside_1,outside) static 192.168.1.40

both are correct but in your network best configuration is to use
nat (inside_1,outside) static interface
!
if you cant access the page from internet than you have to figure out
the router/modem configuration. as we tested ASA is doing its job properly.

Probably because of my English I didn't explain myself well.
I am using a test environment.
I am trying to open a web server page (192.168.1.40) starting from a position on the test network at the address 192.168.1.16 (see the network drawing that I posted). The page does not open.
As a further test I configured my modem / router by port-mapping the public address to the private address 192.168.1.40. Obviously in this second test I used the public IP to open the web page and even this second test was not successful.
This was however just another attempt.
What I want to achieve is when I have indicated in the diagram that I refer you (see below).
I want to open the web page starting from the host 192.168.1.16 by typing the ip 192.168.1.40.
Sorry for the inconvenience I am giving you, but as you may have guessed I am a beginner with the use of firewalls.
Thanks again for everything.

I want to open the web page starting from the host 192.168.1.16 by typing the ip 192.168.1.40.

from ip address 192.168.1.16 you should be able to open the page at ASA ip address 192.168.1.40.