Cisco ASA 5505 NAT(PAT) and Accessing Internal Hosts

Posted on 2011-04-26
Medium Priority
Last Modified: 2012-05-11
Customer has a Cisco ASA 5505 (Base license)
They have for external IPs and for internal IPs

PAT works fine when accessing resources externally. However, to access a resource internally, they must use the internal IP address.

Example: Externally, a laptop would use mail.customer.com to access mail server at; internally however, this will not route. They have to use the internal IP of

I'm aware of DNS doctoring but I'd rather not use that.

Examining the ASA logs, it appear the connection is indeed being created and connected, but it's not actually working.

Configuration snippets below:

name int-mail
name ext-mail
----- SNIP ------
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address
 ospf cost 10
----- SNIP ------
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host ext-mail eq smtp
----- SNIP ------
access-list inside_nat_static_16 extended permit tcp host int-mail eq smtp any
----- SNIP ------
access-list inside_nat_outbound extended permit ip
----- SNIP ------
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat_outbound
nat (inside) 1
----- SNIP ------
static (inside,outside) tcp ext-mail smtp access-list inside_nat_static_16
----- SNIP ------
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1

Thanks in advance! :)
Question by:wbaehr
LVL 15

Accepted Solution

Frabble earned 2000 total points
ID: 35470348
The alternatives to DNS doctoring are:
1. Maintain entries on internal DNS servers for the host using the internal IP address
2. Have the server on a separate interface eg DMZ. Here, the network could be public addresses, or, private addresses and using destination NAT. If using address tranlaltion, the same NAT would be applied for inside to dmz as outside to dmz.
LVL 33

Expert Comment

ID: 35475920
This is a common issue.    I usually fix this by running split DNS on inside and outside.  

Since you have openDNS on the outside already, you may want to look at running an internal DNS host for resolving IPs on internal hosts.    That way, when inside the network, DHCP assigns the internal DNS.   When they roam, they get whatever DNS is provided on the public side (equivalent to using openDNS).

ON the client, the request for resolution from mail.domain.com would get different results depending on which DNS server is currently in use.  

ON the inside, any Linux host running bind9 or even DNSMASQ would suffice and at no cost.  


Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question