How do I route data back into my internal network when its destination is a NAT'd IP on my ASA?

Hi all

We've recently implemented an ASA firewall on a new internet link, and there is one interesting problem I'm trying to figure out how to get around.

When users on hosts on the inside interface of the network attempt to connect to public IP addresses which are routed to our ASA by our ISP, it seems that the packets first go out to the internet then back in again. This wastes bandwidth and costs us money.

An example is the following lines:

access-list outside_access_in extended permit tcp any host EXT-HCHMAIL object-group IN-HCHMAIL
static (inside,outside) EXT-HCHMAIL INT-HCHMAIL netmask

This works fine from both sides (as we have an ACL allowing all access to this range on the inside interface). However it sends the traffic out to our ISP before they route it back to us. Our routes on the ASA are:

route outside 1
route inside 1

Is there a way to tell the ASA to check its own NAT rules before routing the traffic out and it comes back in again? I know on my core router I could just set up NAT rules or routes to secondary IP addresses on my internal servers, however this seems like a lot of doubling up of config'ing.

Thanks for any help and advice on best practices here.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I call this one the "out and back".  Some ISP's don't even allow this.  The only effective way I've found around this is to set your internal DNS entries on your internal DNS server, and set your external DNS entries on your external DNS server.

So let's say you host a website,  And the IP address is  Internally, it might be  So you will want to set up DNS to point to inside your network, but host on an external DNS for the rest of the world.

You could also push static HOSTS files instead of the internal DNS server...

In 10 years I've not found a better way yet.  If anyone else knows of one, please let me know too.
brettrandallAuthor Commented:
Yeah, I'd prefer not to have multiple DNS zones for the same domain, but I guess it would be easier to manage than virtual NICs on my servers with the public IP addresses attached. I'm going to wait a little longer in the hope that someone may have a solution that doesn't involve this before I accept, though thanks for the suggestion, it may yet be the best way forward.
I agree with you, I'd love to know a better way.  If someone finds a way, they deserve all the points+++
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

what model ASA?
what size IP block do you have from your service provider?
are your servers publicly addressed or static NATted?  how many are there?

if you can send a diagram it would help to understand your current environment and how to fix it.

best practice is usually to set your public facing servers in a DMZ network - i can help further if i have the details above.
brettrandallAuthor Commented:
Its an ASA5510. We have a /26 from the provider, and we static NAT about 10 hosts at the moment. Our connection to the ISP is actually via a small /30 network, and they route the /26 to our CE address on the ASA.

Don't really have any diagrams I can send out, but it is basically:

SERVER (Internal IP)  ->  Cat 6500 (VLAN 3 - server VLAN)  -> ASA5510 (also on VLAN 3) -> ISP

So coming back in, it follows the same route, except the ASA statically NATs our public IPs to the relevant internal IPs.

Hope this helps. DMZ would make sense, however all the servers only have two NICs which are in an active/active configuration. I'm guessing we'd either have to install new NICs (not possible - blade servers) or set up some type of VLANing which these servers support (some are on ESX so this would be easy, others are not so this would be more difficult).

Here's the problems I've run into when trying to do an out and back.

1) The external IP address is only answered by the outside interface on the router, so the packet has to go to the router to get to it.
2) The router must NAT from the outside to inside interface in order to get the packet to the internal server that represents the public IP address.
3) Cisco will only NAT when you transition from an inside -> outside or outside->inside NAT interface.  That means the packet has to go out and back in.  But we need it to not transmit and we need it to come back in sourced from a different subnet so the internal server will return back to the router to be de-NATed.
4) Unless a different subnet is used from the router back in, the internal server will not send the packet back to the router, but instead short circuit it to the original sender's IP on the LAN.  That means you'll send a packet to the external IP address, but receive it back on the internal address.  Chances are you're computer is not going to process that packet.

You might be able to set up another router off the side of the ASA in the DMZ that acts as nothing more than a reflector.  Instead of going to the ISP, it would bounce all external requests off the reflector.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hi Brett,

When you say the servers only have two NICs in an active/active configuration, can you explain in a little more detail? Are they bonded? Etherchannel?  Are they active on different VLANs?

brettrandallAuthor Commented:
Thanks Brain2000 for the explanation - that helps a lot. May be an idea...

Brian the NICs are bonded within the OS. Both are active (up to 2gbps between them) but if one uplink or NIC fails, the other will keep operating in a failover mode. We don't currently have VLAN trunking enabled on those switchports.
Hi Brett,

If both NICS are on a curently single VLAN (3), they could be publicly addressed and moved to the WEB-DMZ VLAN (4) without issue.

brettrandallAuthor Commented:
Thanks Brian - this is not a simple short-term solution but may just do what we need with some planning, and would help us get a proper DMZ into place which we haven't done before.

Appreciate your help.
I was kind of hoping that someone would have a superman answer for this one.  We have not been able to move our servers to the DMZ because we have sensitive data on them.  So we must leave them behind pinholed nats and continue to use internal DNS.

Good luck to you!
Hi Brain2000,

Are you in a linux or windows environment?  You mentioned the best way before as pushing a HOSTS file with local addresses - with a W2kx environment I know you can simply have all of your internal hosts use your AD/DNS server as primary DNS and have your A records resolve to the internal address of the server.  Since outside users don't use or see your internal DNS server, they obviously would resolve to the proper public address.  This would keep your internal traffic on your local LAN.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.