Static NAT entries and "inside" connections

Unanswered Question

I have a situation where I have internal hosts on and static entries setup on an ASA5520 that map to a some of those addresses. Static NAT works as expected for sources originating from the outside of the ASAs, but any traffic from the network itself, to the public addresses just times out (SYN sent, but no ACK). Config is attached. In the config, the interfaces in question are ge0 (outside, where the static IPs are available), and ge2-2 (inside where both the real IPs are AND who may also need to connect to the public IPs specified by the static statements).

Any help is greatly appreciated! Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Fernando_Meza Wed, 06/18/2008 - 16:32


You can't use the public IP addresses allocated to the internal SMTP servers when initiating connection from inside hosts. You need to point the internal hosts to and .28 respectively instead.

I am suspecting that you probably use OWA or something like that and want to use the same hostname (which resolves to the Public IP) for both internal and external users correct ..? If that is the case you could use a feature called DNS doctoring by adding dns at the end of every static command. You also need to make sure the dns server resolving that hostname is located OUTSIDE of your firewall. Please check the below example

Alternatively you could use hosts file entries on the internal users desktops pointing the SMTP hostname i.e to the INTERNAL IP address respectively.

I hope it helps .. please rate helpful posts !!!!

Thanks for your response!

It's not OWA (it's Postfix on Linux boxes) but you're correct about the desired goal. What's odd is that in another location where I use ASA boxes this does work, but I think it's a side effect of the configuration. In that setup, the public IPs are a /24 that is routed (by our ISP) to the ASAs which are on one end of a /30. I think what's happening there, assuming you're correct, is that traffic follows the default gw of the ASA to the ISP's router, gets NAT'd, and then immediately routed back to the ASAs. Of course, that's if I'm understanding the case correctly. I definitely appreciate your response, but I find it sad that this is the case. It seems like this should be possible.

Thanks again!


This Discussion