Cisco-ASA 5505 - NAT works but same public IP can not be reach from inside

Posted on 2009-02-18
Last Modified: 2012-05-06
Hi There:
I used following command to make my internal web application be accessible from the Internet using a Public IP, and it works, I can see the web site from Internet using the Public IP, But I can not use the same public IP to connect to the site from inside, I don't want to have two different IP for the internal and external use. How can I use the public IP even from inside?
Same problem for Ping, the following ping command works from outside but not from inside,
Thanks a lot in advance -  

Command used for NAT:
access-list outside_access_in extended permit tcp any interface outside eq 8080
static (inside,outside) tcp interface 8080 8080 netmask
access-group outside_access_in in interface outside

Command used for Ping:
access-list outside_access_in extended permit icmp any any echo-reply

ASA Version 8.0(4) 


hostname xxxASA


enable password xYZ.AoCGaJu/Udrz encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

clock timezone GMT 0

dns domain-lookup outside

dns server-group DefaultDNS


access-list outside_access_in extended permit tcp any interface outside eq www 

access-list outside_access_in extended permit tcp any interface outside eq 8080 

access-list outside_access_in extended permit icmp any any echo-reply 

access-list inside_access_in extended permit ip any any 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

static (inside,outside) tcp interface www www netmask 

static (inside,outside) tcp interface 8080 8080 netmask 

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 


service-policy global_policy global

prompt hostname context 


: end

Open in new window

Question by:esasan
    LVL 23

    Expert Comment

    couple of solutions come to mind:

    1) if your ASA has recent firmware, you should be able to configure reverse nat translation to allow traffic out, then back in.. This is obviously a security concern and will need managing as fixup's are not applied in reverse.

    2) you could place an entry in your internal DNS server to reflect the inside IP address for that particular external IP. - this would be the easiest.

    3) If host headers are involved, step 2 would not work, you may need to provide host file updates to all clients to map a new URL address for that server.

    This previous discussion should help:
    LVL 25

    Expert Comment

    Packets can't go in and out the same interface on a PIX/ASA ever.  The recommended way to fix your issue is to give the public server its own IP and do a NAT so that you can use the 'dns' keyword to enable DNS doctoring.  

    The only option you have otherwise is to try either option 2 or 3 from debuggerau.

    here's why the firewall can't do what you want.  Since the inside host wants to go to the Public IP it sends a packet to that public IP.  When the packet hits the ASA it knows the packet is destined to go out the outside interface.  so it looks up how to translate the IPs via the global/nat and static commands.  While you can probably use the outside keyword to get it to translate the public IP to the inside IP of the server, it would still try to send it out the outside interface.  It woudl then try to route it back in the outside interface (my guessing of the process anyway) and it would drop it then.  Even if it did re-read the routing table and send it back to the inside interface it would drop it then because it came in from that direction.  So no matter what you can't get it to work unless you have a separate public IP for the server, use an internal DNS for your network, or inject a correct record to all your inside hosts.
    LVL 23

    Expert Comment


    Author Comment

    Thanks a lot for your responses,
    I have one extra public IP address, what would be the next step?
    Can you explain:
    "so that you can use the 'dns' keyword to enable DNS doctoring."? how is that?

    LVL 25

    Accepted Solution

    currently you have this
    >>static (inside,outside) tcp interface www www netmask

    you would modify it to be this
    static (inside,outside) dns

    where is the extra public IP.  you'll have to update the acl so that its the correct public IP being allowed now.  But what this does then is when an inside host does a DNS query for the public server fqdn, the response from the public DNS server will return the public IP.  When the response packet gets to the ASA, it knows that the public IP maps to so it alters the DNS response; taking out the public IP and putting in the private IP.  Then it delivers to the inside host so the host tries to connect to the inside IP directly and removing the issue you're currently seeing.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now