Cisco ASA 5505 NAT(PAT) and Accessing Internal Hosts

Posted on 2011-04-26
Last Modified: 2012-05-11
Customer has a Cisco ASA 5505 (Base license)
They have for external IPs and for internal IPs

PAT works fine when accessing resources externally. However, to access a resource internally, they must use the internal IP address.

Example: Externally, a laptop would use to access mail server at; internally however, this will not route. They have to use the internal IP of

I'm aware of DNS doctoring but I'd rather not use that.

Examining the ASA logs, it appear the connection is indeed being created and connected, but it's not actually working.

Configuration snippets below:

name int-mail
name ext-mail
----- SNIP ------
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address
 ospf cost 10
----- SNIP ------
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host ext-mail eq smtp
----- SNIP ------
access-list inside_nat_static_16 extended permit tcp host int-mail eq smtp any
----- SNIP ------
access-list inside_nat_outbound extended permit ip
----- SNIP ------
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat_outbound
nat (inside) 1
----- SNIP ------
static (inside,outside) tcp ext-mail smtp access-list inside_nat_static_16
----- SNIP ------
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1

Thanks in advance! :)
Question by:wbaehr
    LVL 15

    Accepted Solution

    The alternatives to DNS doctoring are:
    1. Maintain entries on internal DNS servers for the host using the internal IP address
    2. Have the server on a separate interface eg DMZ. Here, the network could be public addresses, or, private addresses and using destination NAT. If using address tranlaltion, the same NAT would be applied for inside to dmz as outside to dmz.
    LVL 33

    Expert Comment

    This is a common issue.    I usually fix this by running split DNS on inside and outside.  

    Since you have openDNS on the outside already, you may want to look at running an internal DNS host for resolving IPs on internal hosts.    That way, when inside the network, DHCP assigns the internal DNS.   When they roam, they get whatever DNS is provided on the public side (equivalent to using openDNS).

    ON the client, the request for resolution from would get different results depending on which DNS server is currently in use.  

    ON the inside, any Linux host running bind9 or even DNSMASQ would suffice and at no cost.  


    Featured Post

    Live: Real-Time Solutions, Start Here

    Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

    Join & Write a Comment

    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now