I've setup NAT hairpin for inside hosts to use the public IP of the inside webserver as follows:
webserver: 172.22.35.10 NAT's to 24.x.x.x
I used these commands:
same-security-traffic permit intra-interface
static (inside,inside) 24.x.x.x 172.22.35.10 netmask 255.255.255.255
I can ping from 10.156.16.28 to 24.x.x.x and get responses (I did not before I started). However, when I try to browse to the webserver or telnet to port 80 for 24.x.x.x I get nothing. Packet-tracer said the flow should be allowed so I did some captures on the ASA and it looked good.
When I sniff the traffic on 10.156.16.28 I see this:
source destination info
10.156.16.28 24.x.x.x SYN
172.22.35.10 10.156.16.28 SYN-ACK
10.156.16.28 172.22.35.10 RST (broken tcp. the acknowledgement field is nonzero while the ack flag is not set)
Obviously the traffic is making it's way back to 10.156.16.28, but that host doesn't ACK it.
I'm running an ASA5520 with 8.2 code and Websense filtering disabled for testing this. I cannot do DNS doctoring as the DNS is on our corporate network (doesn't go through this ASA) and I don't have access to the firewall on that side.
I imagine you can use policy NAT.
access-list hairpin permit ip host 10.156.16.28 host 24.x.x.x
nat (inside) 10 access-list hairpin
global (inside) 10 interface
access-list internet permit ip host 10.156.16.28 any
nat (inside) 20 access-list internet
global (outside) 20 interface
The idea is that you define only when going to 24.x.x.x to do the hairpining and
everything else will be PATed to the internet.