We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Cisco-ASA 5505 - NAT works but same public IP can not be reach from inside

esasan asked
Medium Priority
Last Modified: 2012-05-06
Hi There:
I used following command to make my internal web application be accessible from the Internet using a Public IP, and it works, I can see the web site from Internet using the Public IP, But I can not use the same public IP to connect to the site from inside, I don't want to have two different IP for the internal and external use. How can I use the public IP even from inside?
Same problem for Ping, the following ping command works from outside but not from inside,
Thanks a lot in advance -  

Command used for NAT:
access-list outside_access_in extended permit tcp any interface outside eq 8080
static (inside,outside) tcp interface 8080 8080 netmask
access-group outside_access_in in interface outside

Command used for Ping:
access-list outside_access_in extended permit icmp any any echo-reply

ASA Version 8.0(4) 
hostname xxxASA
domain-name xxxdomain.com
enable password xYZ.AoCGaJu/Udrz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone GMT 0
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name disternetdomain.com
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list outside_access_in extended permit tcp any interface outside eq 8080 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list inside_access_in extended permit ip any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface www www netmask 
static (inside,outside) tcp interface 8080 8080 netmask 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Watch Question

couple of solutions come to mind:

1) if your ASA has recent firmware, you should be able to configure reverse nat translation to allow traffic out, then back in.. This is obviously a security concern and will need managing as fixup's are not applied in reverse.

2) you could place an entry in your internal DNS server to reflect the inside IP address for that particular external IP. - this would be the easiest.

3) If host headers are involved, step 2 would not work, you may need to provide host file updates to all clients to map a new URL address for that server.

This previous discussion should help:
Cyclops3590Sr Software Engineer

Packets can't go in and out the same interface on a PIX/ASA ever.  The recommended way to fix your issue is to give the public server its own IP and do a NAT so that you can use the 'dns' keyword to enable DNS doctoring.  

The only option you have otherwise is to try either option 2 or 3 from debuggerau.

here's why the firewall can't do what you want.  Since the inside host wants to go to the Public IP it sends a packet to that public IP.  When the packet hits the ASA it knows the packet is destined to go out the outside interface.  so it looks up how to translate the IPs via the global/nat and static commands.  While you can probably use the outside keyword to get it to translate the public IP to the inside IP of the server, it would still try to send it out the outside interface.  It woudl then try to route it back in the outside interface (my guessing of the process anyway) and it would drop it then.  Even if it did re-read the routing table and send it back to the inside interface it would drop it then because it came in from that direction.  So no matter what you can't get it to work unless you have a separate public IP for the server, use an internal DNS for your network, or inject a correct record to all your inside hosts.


Thanks a lot for your responses,
I have one extra public IP address, what would be the next step?
Can you explain:
"so that you can use the 'dns' keyword to enable DNS doctoring."? how is that?

Sr Software Engineer
currently you have this
>>static (inside,outside) tcp interface www www netmask

you would modify it to be this
static (inside,outside) dns

where is the extra public IP.  you'll have to update the acl so that its the correct public IP being allowed now.  But what this does then is when an inside host does a DNS query for the public server fqdn, the response from the public DNS server will return the public IP.  When the response packet gets to the ASA, it knows that the public IP maps to so it alters the DNS response; taking out the public IP and putting in the private IP.  Then it delivers to the inside host so the host tries to connect to the inside IP directly and removing the issue you're currently seeing.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.