We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Cisco ASA 5505 NAT(PAT) and Accessing Internal Hosts

wbaehr asked
Medium Priority
Last Modified: 2012-05-11
Customer has a Cisco ASA 5505 (Base license)
They have for external IPs and for internal IPs

PAT works fine when accessing resources externally. However, to access a resource internally, they must use the internal IP address.

Example: Externally, a laptop would use mail.customer.com to access mail server at; internally however, this will not route. They have to use the internal IP of

I'm aware of DNS doctoring but I'd rather not use that.

Examining the ASA logs, it appear the connection is indeed being created and connected, but it's not actually working.

Configuration snippets below:

name int-mail
name ext-mail
----- SNIP ------
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address
 ospf cost 10
----- SNIP ------
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host ext-mail eq smtp
----- SNIP ------
access-list inside_nat_static_16 extended permit tcp host int-mail eq smtp any
----- SNIP ------
access-list inside_nat_outbound extended permit ip
----- SNIP ------
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat_outbound
nat (inside) 1
----- SNIP ------
static (inside,outside) tcp ext-mail smtp access-list inside_nat_static_16
----- SNIP ------
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1

Thanks in advance! :)
Watch Question

Unlock this solution and get a sample of our free trial.
(No credit card required)
Top Expert 2010

This is a common issue.    I usually fix this by running split DNS on inside and outside.  

Since you have openDNS on the outside already, you may want to look at running an internal DNS host for resolving IPs on internal hosts.    That way, when inside the network, DHCP assigns the internal DNS.   When they roam, they get whatever DNS is provided on the public side (equivalent to using openDNS).

ON the client, the request for resolution from mail.domain.com would get different results depending on which DNS server is currently in use.  

ON the inside, any Linux host running bind9 or even DNSMASQ would suffice and at no cost.  

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.