Cisco ASA 5505 NAT(PAT) and Accessing Internal Hosts

Customer has a Cisco ASA 5505 (Base license)
They have for external IPs and for internal IPs

PAT works fine when accessing resources externally. However, to access a resource internally, they must use the internal IP address.

Example: Externally, a laptop would use to access mail server at; internally however, this will not route. They have to use the internal IP of

I'm aware of DNS doctoring but I'd rather not use that.

Examining the ASA logs, it appear the connection is indeed being created and connected, but it's not actually working.

Configuration snippets below:

name int-mail
name ext-mail
----- SNIP ------
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address
 ospf cost 10
----- SNIP ------
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host ext-mail eq smtp
----- SNIP ------
access-list inside_nat_static_16 extended permit tcp host int-mail eq smtp any
----- SNIP ------
access-list inside_nat_outbound extended permit ip
----- SNIP ------
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat_outbound
nat (inside) 1
----- SNIP ------
static (inside,outside) tcp ext-mail smtp access-list inside_nat_static_16
----- SNIP ------
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1

Thanks in advance! :)
Who is Participating?
FrabbleConnect With a Mentor Commented:
The alternatives to DNS doctoring are:
1. Maintain entries on internal DNS servers for the host using the internal IP address
2. Have the server on a separate interface eg DMZ. Here, the network could be public addresses, or, private addresses and using destination NAT. If using address tranlaltion, the same NAT would be applied for inside to dmz as outside to dmz.
This is a common issue.    I usually fix this by running split DNS on inside and outside.  

Since you have openDNS on the outside already, you may want to look at running an internal DNS host for resolving IPs on internal hosts.    That way, when inside the network, DHCP assigns the internal DNS.   When they roam, they get whatever DNS is provided on the public side (equivalent to using openDNS).

ON the client, the request for resolution from would get different results depending on which DNS server is currently in use.  

ON the inside, any Linux host running bind9 or even DNSMASQ would suffice and at no cost.  

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.