We've recently implemented an ASA firewall on a new internet link, and there is one interesting problem I'm trying to figure out how to get around.
When users on hosts on the inside interface of the network attempt to connect to public IP addresses which are routed to our ASA by our ISP, it seems that the packets first go out to the internet then back in again. This wastes bandwidth and costs us money.
An example is the following lines:
access-list outside_access_in extended permit tcp any host EXT-HCHMAIL object-group IN-HCHMAIL
static (inside,outside) EXT-HCHMAIL INT-HCHMAIL netmask 255.255.255.255
This works fine from both sides (as we have an ACL allowing all access to this range on the inside interface). However it sends the traffic out to our ISP before they route it back to us. Our routes on the ASA are:
route outside 0.0.0.0 0.0.0.0 220.127.116.11 1
route inside 10.0.0.0 255.0.0.0 10.0.0.1 1
Is there a way to tell the ASA to check its own NAT rules before routing the traffic out and it comes back in again? I know on my core router I could just set up NAT rules or routes to secondary IP addresses on my internal servers, however this seems like a lot of doubling up of config'ing.
Thanks for any help and advice on best practices here.