access internal server through public URL via ASA5505 by internal users

Unanswered Question

HI, I am replacing a linksys router with ASA5505

, and I am facing a problem, they dont have a DNS server, all dns directing to public

DNS server,

I have two PAT translations to access two internal serves from Internet.

I want to make internal users also be able to access the two URLs to access servers from internal network like public users from Internet.

Thanks and regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Thanks for your reply,

But I dont think that is a DNS issue, even with the "dns" keyword it does not work for me,

I think the way Linksys router handle port mapping is totaly different to ASA5505, in Linksys router, I have a public to private mapping (two port fowarding to two internal IP addresses) configured in Linksys router. And internal users can access these services using public IP addresses(dns is not the issue).

But if I sue PAT translation suing static (inside, outside) tcp cpmmnad in ASA5505, my internal users cant access the service using the public address.

any advice would be appreciated

Jennifer Halim Sat, 03/20/2010 - 17:05
User Badges:
  • Cisco Employee,

They can not use the public ip address of the server for internal user. If they use the same URL from internally, it will resolve to the private ip address if the DNS request traverse through the firewall after configuring the "dns" keyword on your static statement.

So basically, internal user still uses the same URL (don't use ip address to access the server from internally), and from dns resolution, it will resolve to the internal ip address.


-Internal user to browse to "", and external dns will resolve to

-As the dns reply from external dns passes through the firewall, it will automatically change that public ip address to private ip address, eg:

-When internal user receive the dns reply, =

Please also be advised that "inspect dns" needs to be enabled on the policy-map. If you run "show run policy-map", check if you have "inspect dns", if you don't, please add the line "inspect dns" within the policy-map. Thanks.

Jennifer Halim Sat, 03/20/2010 - 18:58
User Badges:
  • Cisco Employee,

No, can't use ip address because that does not require dns resolution.

Can the user not use internal ip address of the server when they are connected internally? and use external ip address when they are external?

Otherwise I believe you can configure the following, but it can become ugly in terms of best practise configuration:

static (inside,inside) public_ip private_ip netmask

same-security-traffic permit intra-interface

Kureli Sankar Sat, 03/20/2010 - 19:25
User Badges:
  • Cisco Employee,

"dns" keyword will not work for static PAT. It will only work for static (1-1) nat.

With that said, how many people on the inside need to access these sites using their public address?

If it is just a handful then what you can do Asok, is add a hosts file in their computer winnt\system32\drives\etc and specify the internal IP address and the domain name so, when they type the domain name in the browser it will automatically resolve to the inside address.

Like halijenn says, it is not recommended practice.


Hi, Thaks for taking much interest in this

static (inside,inside) public_ip private_ip netmask

would work wonderfully with NAt , but with PAT it is a problem, I dont know how simple Linksys router/modem do this kind of thing which ASA cannot handle

kusankar: can the hosts table handle PAT


Kureli Sankar Sun, 03/21/2010 - 15:41
User Badges:
  • Cisco Employee,

That U-Turn translation that Hillijen gave you would work but, that is not recommedned. That is not for PAT but called destination NAT. When the inside interface sees a packet destined to the public address specified it will U-Turn it off the inside interface and send it to the private IP address instead. You need to use that with the same security that was given in the previous posting.

The inside hosts should access the webservers using the inside (private) IP address and not the public address.  Since they get the name resolved to public address, I had suggested a hosts file.  The hosts file is just for name resolution. Where you would specifiy the inside IP address and the name for example:


Thank you kusankar,

But, I don't think it will help with my simple Linksys router port

forwarding, I want to replace the following, without a internal DNS server

My internal users use this url from inside and outside, they use >> port forward to >> port forward to

These two addresses port forward to 2 different addresses.

If it is a single server U-turn works at IP level. I dint think host file

will help here in this situ.

Thanks and regards

Jennifer Halim Sun, 03/21/2010 - 20:35
User Badges:
  • Cisco Employee,

In theory, you can configure U-turn traffic for port redirection as suggested earlier, but please kindly note that it is not a recommended solution, and not sure whether the U-turn port redirection would work.

This is how you would configure it:

static (inside,inside) tcp 8080 80

static (inside,inside) tcp 8380 80

Again, the above is not a recommended design.


This Discussion