Cisco ASA Port Forwarding Issue – How to Fix ‘Drop-reason: (acl-drop) Flow is Denied by Configured Rule’

cisco-asaport-forwarding

Months ago I made this post here on NE, but I still for the life of me just cannot figure our port-forwarding on my ASA 5505. I have since started over and am now trying the DMZ port instead, but again have hit a brick wall. It seems no matter what I try, the implicit rule/s block the inbound traffic. I cannot figure out how to fix this. My DMZ network is on port 7 (vlan 12) with subnet 172.16.0.0/24 and the web server IP is: 172.16.0.2

Here is my original show run:

MyASA# show running-config 
: Saved
: 
: Serial Number: 
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3) 
!
hostname MyASA
domain-name labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 description labz LAN
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
!
interface Vlan2
 description telco-isp 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group labzGroup
 ip address pppoe setroute 
!
interface Vlan12
 description DMZ port
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0 
!             
ftp mode passive
dns server-group DefaultDNS
 domain-name labz.local
same-security-traffic permit inter-interface
object network show
object network dmz-subnet
 subnet 172.16.0.0 255.255.255.0
object network webserver
 host 172.16.0.2
object-group icmp-type PING-both
 description PING echo & echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list outside_acl extended permit tcp interface outside object webserver eq https 
access-list outside_acl extended permit tcp interface outside object webserver eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq https 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network dmz-subnet
 nat (DMZ,outside) dynamic interface
object network webserver
 nat (DMZ,outside) static interface service tcp https https 
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_acl in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
aaa authorization exec LOCAL 
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.3.1,CN=MyASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group labzGroup request dialout pppoe
vpdn group labzGroup localname samandrew@telco-isp.net
vpdn group labzGroup ppp authentication chap
vpdn username samandrew@telco-isp.net password ***** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
username DrewAdmin password fZC8u8Iqk7W4q1hs encrypted privilege 15
username DrewAdmin attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active   
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f38de6f9c4834dee452b30e10f54a8de
: end
MyASA#

Here is my 1st packet-trace:

MyASA# packet-tracer input outside tcp 8.8.8.8 443 172.16.0.2 443 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config: 
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcd2ec2d0, priority=11, domain=permit, deny=true
    hits=32828, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

UPDATE (Feb 26th): I removed all ACLs and added the ones suggested, but HTTP/HTTPS traffic is still not getting through, unfortunately. My new Show Run:

MyASA# show running-config
: Saved
:
: Serial Number: 
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 description Labz LAN
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 description Telco-ISP 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group LabzGroup
 ip address pppoe setroute
!
interface Vlan12
 description DMZ port
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Labz.local
same-security-traffic permit inter-interface
object network show
object network dmz-subnet
 subnet 172.16.0.0 255.255.255.0
object network webserver
 host 172.16.0.2
object network webserver-80
 host 172.16.0.2
object-group icmp-type PING-both
 description PING echo & echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list outside_acl extended permit tcp any object webserver eq https
access-list outside_acl extended permit tcp any object webserver eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network dmz-subnet
 nat (DMZ,outside) dynamic interface
object network webserver
 nat (DMZ,outside) static interface service tcp https https
object network webserver-80
 nat (DMZ,outside) static interface service tcp www www
!
nat (any,outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.3.1,CN=MyASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate e8fbb45b
    bf03b569 694aeba7 03c36099 8d
  quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname MrCustomer@Telco-ISP.net
vpdn group LabzGroup ppp authentication chap
vpdn username MrCustomer@Telco-ISP.net password ********* store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
username AdminMe password encrypted privilege 15
username AdminMe attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:139e5552c3c8346de7d6b388e72ee8bb
: end
MyASA#

My second packet trace attempt:

MyASA# packet-tracer input outside tcp 8.8.8.8 443 172.16.0.2 443 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc34e810, priority=0, domain=nat-per-session, deny=false
        hits=260315, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd251fe8, priority=0, domain=permit, deny=true
        hits=110764, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MyASA#

Also, here are my ACLs (Feb 26th):

MyASA(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_acl; 2 elements; name hash: 0x6b8df462
access-list outside_acl line 1 extended permit tcp any object webserver eq https (hitcnt=0) 0xf582ebb0
  access-list outside_acl line 1 extended permit tcp any host 172.16.0.2 eq https (hitcnt=0) 0xf582ebb0
access-list outside_acl line 2 extended permit tcp any object webserver eq www (hitcnt=0) 0x0e174c0d
  access-list outside_acl line 2 extended permit tcp any host 172.16.0.2 eq www (hitcnt=0) 0x0e174c0d

Update, Feb 27th – Here is my 3rd Show Run

MyASA(config)# show run
: Saved
:
: Serial Number:
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyASA
domain-name labz.local
enable password lE85y9xDQeSE5Ktl encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 description labz LAN
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 description Telco-ISP 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group labzGroup
 ip address pppoe setroute
!
interface Vlan12
 description DMZ port
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name labz.local
same-security-traffic permit inter-interface
object network show
object network dmz-subnet
 subnet 172.16.0.0 255.255.255.0
object network webserver
 host 172.16.0.2
object network webserver-80
 host 172.16.0.2
object-group icmp-type PING-both
 description PING echo & echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list outside_acl extended permit tcp any object webserver eq https
access-list outside_acl extended permit tcp any object webserver eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network webserver
 nat (DMZ,outside) static interface service tcp https https
object network webserver-80
 nat (DMZ,outside) static interface service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable 444
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.3.1,CN=MyASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate e8fbb45b
    bf03b569 694aeba7 03c36099 8d
  quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group labzGroup request dialout pppoe
vpdn group labzGroup localname fryandrew@Telco-ISP.net
vpdn group labzGroup ppp authentication chap
vpdn username fryandrew@Telco-ISP.net password ***** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
username AdminMe password fZC8u8Iqk7W4q1hs encrypted privilege 15
username AdminMe attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9baa3a68f21c745a705eafb83ad44b86
: end
MyASA(config)#

Here is the updated packet trace:

MyASA# packet-tracer input outside tcp 8.8.8.8 80 172.16.0.2 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc34e810, priority=0, domain=nat-per-session, deny=false
    hits=379567, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP  
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd251fe8, priority=0, domain=permit, deny=true
    hits=197361, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Here are my ACLs (Feb 27th):

    MyASA# show access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_acl; 2 elements; name hash: 0x6b8df462
access-list outside_acl line 1 extended permit tcp any object webserver eq https (hitcnt=0) 0xf582ebb0 
  access-list outside_acl line 1 extended permit tcp any host 172.16.0.2 eq https (hitcnt=0) 0xf582ebb0 
access-list outside_acl line 2 extended permit tcp any object webserver eq www (hitcnt=0) 0x0e174c0d 
  access-list outside_acl line 2 extended permit tcp any host 172.16.0.2 eq www (hitcnt=0) 0x0e174c0d

Edit – looks like I have a redundant NAT statement/policy…? (This did not matter in the end)

MyASA# show NAT detail 

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static webserver interface   service tcp https https 
    translate_hits = 0, untranslate_hits = 148
    Source - Origin: 172.16.0.2/32, Translated: Current_Pub_IP/32
    Service - Protocol: tcp Real: https Mapped: https 
2 (DMZ) to (outside) source static webserver-80 interface   service tcp www www 
    translate_hits = 0, untranslate_hits = 102
    Source - Origin: 172.16.0.2/32, Translated: Current_Pub_IP/32
    Service - Protocol: tcp Real: www Mapped: www 

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface  
    translate_hits = 52506, untranslate_hits = 12737
    Source - Origin: 0.0.0.0/0, Translated: Current_Pub_IP/32
2 (DMZ) to (outside) source dynamic any interface  
    translate_hits = 1142, untranslate_hits = 4
    Source - Origin: 0.0.0.0/0, Translated: Current_Pub_IP/32

Best Answer

access-list outside_acl extended permit tcp interface outside object webserver eq https 
access-list outside_acl extended permit tcp interface outside object webserver eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq https

You need to remove all of those lines above, by issuing the commands:

no access-list outside_acl extended permit tcp interface outside object webserver eq https 
no access-list outside_acl extended permit tcp interface outside object webserver eq www 
no access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq www 
no access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq https

They are doing nothing, essentially. Your existing rules are restricting the source (i.e., the person on the internet) to your IP addresses (not theirs).

If you want to permit traffic coming from the internet to your web-server, you need to replace the lines you just deleted with:

access-list outside_acl extended permit tcp any object webserver eq https

Your current object NAT statement is only allowing for the use of HTTPS (not HTTP), so if you want to include HTTP as well, we will need to make a separate statement for it, which can be done like:

object network webserver-80
 host 172.16.0.2
 nat (DMZ,outside) static interface service tcp www www

Now that you've added a NAT for HTTP, we can add a supporting ACE for allowing HTTP, by adding:

access-list outside_acl extended permit tcp any object webserver eq www

Edit:

I didn't notice before that you have a redundant global NAT for the DMZ interface, that's being hit before your PAT statements, causing them not to be used. Also, since you're using the interface IP and for port 443, which is currently bound to the internal web server of the ASA for ASDM, you need to move it off to another port so there is no conflict.

Please change the http server's port by issuing:

no http server enable
http server enable 444

Make note of this non-standard port, as this is what you will need to use in order to access ASDM if you use it at all. Instead of just https://192.168.3.1 it will now be https://192.168.3.1:444

Please remove:

object network dmz-subnet
 nat (DMZ,outside) dynamic interface

By issuing:

object network dmz-subnet
 no nat (DMZ,outside) dynamic interface

Also, you have another global NAT that is set to use "any" interface, which is not recommended. My suggestion is to change it to restrict it to the only remaining interface without an explicit NAT (the DMZ interface) by issuing:

no nat (any,outside) after-auto source dynamic any interface

nat (DMZ,outside) after-auto source dynamic any interface

Edit (adding from comment discussions):

Also, your outside interface does not have an ACL bound to it.

Please add:

access-group outside_acl in interface outside

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco ASA 5505 – Troubleshooting Configuration Issues

The "outside" vlan seems to be misconfigured, and I've tried so many permeations, that I am sure I am overlooking something major, and obvious. When I am able to ping 8.8.8.8, from the ASA, I'll be happy!

Basic Config

As others have mentioned, your configuration is "suboptimal"... ~~the biggest problem you have is that you're not using DHCP on the outside Vlan interface~~ the biggest problem is that your default gw address is assigned to Vlan2... to recover, login to the console and...

copy runn flash:foobar.cfg
config t
configure factory-default 10.1.10.100 255.255.255.0

While you're in config mode, use this configuration...

hostname DTS-ASA
password ChangeMeNow
enable password ChangeMeNow
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Vlan2
 ! I don't think you need this, since it's an SMC MAC addr
 ! However, this illustrates how you can manually change the mac
 ! on your outside Vlan, if Comcast is restricting you
 ! to one mac (and now refuses to change it)
 ! mac-address 78cd.8ed9.fb37
 nameif outside
 security-level 0
 ip address 74.xx.xx.225 255.255.255.248
!
route outside 0.0.0.0 0.0.0.0 74.xx.xx.230
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
end
wr mem

Please change the password :-)... now you need fw rules, but that's a different issue

WAN Validation

Make sure you really do have the Comcast modem attached to Eth0/0... After you're up and running, you should be able to check the address you got from Comcast like this...

DTS-ASA# sh int vlan2
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address 0030.dead.beef, MTU 1500
        IP address 74.xx.xx.225, subnet mask 255.255.255.248     <------------
  Traffic Statistics for "outside":
        108703406 packets input, 119199091796 bytes
        69134254 packets output, 8083775282 bytes
        1654709 packets dropped
      1 minute input rate 2 pkts/sec,  280 bytes/sec
      1 minute output rate 3 pkts/sec,  414 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 3 pkts/sec,  716 bytes/sec
      5 minute output rate 4 pkts/sec,  520 bytes/sec
      5 minute drop rate, 0 pkts/sec
DTS-ASA#

Then check your ping to google's DNS...

DTS-ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
DTS-ASA#

If not, be sure you can ping your default-gw...

DTS-ASA# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 74.xx.xx.230 to network 0.0.0.0

C    74.xx.xx.230 255.255.255.248 is directly connected, outside
C    10.1.10.0 255.255.255.0 is directly connected, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 74.xx.xx.230, outside          <------
DTS-ASA#
DTS-ASA# ping 74.xx.xx.230