Thanks, Jon. Good catch on my alphabet challenge. :)

Regarding #1, I added that. As for #2, here's a quick diagram:

Comcast<----E0/0->ASA <--E0/1 (Access)----G1/0/48 (Access)-->Switch<---G3/0/49 (Trunk)----G0/0 (Trunk)--> Router

I added a route for the X.X.X.X network on the router (ip route X.X.X.0 255.255.255.0 Y.Y.Y.248)

That allows ping through to the X.X.X.78 gateway IP from the Y and Z networks.

Still no success on the https://X.X.X.74 connection in browsers.

Don

Where you are you trying to connect from ie. from the outside or the inside ?

Jon

We're trying to connect from the outside.

Don

Does your router have a default route pointing to the inside interface of the ASA ?

It's not a route for the subnet used on your outside interface, you don't need that.

Can you run -

"packet-tracer input outside tcp 8.8.8.8 12345 X.X.X.74 443"

and post the results.

Edit - that should be port 443 in the above.

Jon

Thanks, Jon. This is not a default route for traffic - we've got an MPLS link for that that feeds into a central internet location (single point of filtering,control, etc.) Only specific traffic needs to flow outbound here.

Packet-Tracer results:

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
  match ip inside host Z.Z.Z.28 outside any
    static translation to X.X.X.74
    translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface inside
Untranslate X.X.X.74/0 to Z.Z.Z.28/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any host X.X.X.74
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
service-policy global_policy global
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
  match ip inside host Z.Z.Z.28 outside any
    static translation to X.X.X.74
    translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
  match ip inside host Z.Z.Z.28 outside any
    static translation to X.X.X.74
    translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 521, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Honda-5920-ASA-5505#              packet-tracer input outside tcp 8.8.8.8 1234$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
  match ip inside host Z.Z.Z.28 outside any
    static translation to X.X.X.74
    translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface inside
Untranslate X.X.X.74/0 to Z.Z.Z.28/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any host X.X.X.74
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
service-policy global_policy global
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
  match ip inside host Z.Z.Z.28 outside any
    static translation to X.X.X.74
    translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
  match ip inside host Z.Z.Z.28 outside any
    static translation to X.X.X.74
    translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 521, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

That did the trick, Jon. I'll have to study the books a bit more to understand this in depth, but you've rescued me from further angst over this...thanks!

Don

No problem.

If you need a fuller explanation then happy to help but just to be clear your ASA configuration was fine and you wouldn't normally need to add that extra configuration which is why it wouldn't be in the instructions you followed.

It was only because within your network the default route was pointing somewhere else that you needed it.

Glad you got it working.

Jon

Don

Not sure if you'll see this but just wanted to mention something.

Those commands you added mean every internet IP that accesses your web server is translated to the inside interface IP of your ASA.

Depending on the number of outside clients accessing your web server this could create a lot of translations on your firewall.

You should be okay but if it becomes an issue the alternative is not to use those commands and do PBR on your router.

With PBR you could say any traffic from the web server to an unknown IP should go to the ASA.

This may be an option but it depends on what the existing default route is being used for ie. if there is traffic from the web server to unknown IPs that should go via MPLS as opposed to the ASA then PBR probably wouldn't work.

Apologies if I have confused the issue, just wanted you to be aware of possible alternatives.

Jon