Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Advice needed

I have an ASA 5510, and recently we had to move our web site to an external provider. However, portions of the web site still remain here on site. From outside, the web site operates fine, with the portions being hosted here as well as at the provider site acting as they should. However, when inside the network, the portions that are local do not ever connect and result in a 'site not found' error. This is because the external provider links to my portion using the public URL. I have temporarily solved this by placing a hosts file that give the call to the local portions the correct internal address as opposed to the public address, and that works OK.

Here's the deal, I'd like the ASA to intercept these requests and simply turn them around and send them back inside. Details are:

Local domain =

  • Local Windows AD DNS, no authority for the domain2 DNS records
  • My portion of the web site has a URL of with a public address of and a inside address if

Hosted domain =

  • External DNS provider with authority for domain2, not domain1
  • URL for the main site portion is with a public address of

Initially, I though a static NAT rule similar to:

static (inside,inside)

but no change. Then I thought perhaps with the dns keyword like:

static (inside,inside) dns

Still no change.


Anyone have any ideas as to how to do this?

Community Member

Can you try below command:

Can you try below command:


static (inside,outside)  dns


You can also refer below link for more information:



Tushar Bangia

Please rate the post if you find it helpful.

Hi, You have to do DNS



You have to do DNS doctoring or Hair Pinning on your ASA to have the U-Turn of the traffic via the same interface..... The NAT and configuration parameters slightly changes based on the OS version which you use....

If you use 8.3+ OS which has new NAT syntax.

access-list outbound permit tcp <source lan> <web server public ip> eq www ( depends on your requirement)

nat (inside,outside) source static <Private IP Of web server> <public ip of web server> dns
policy-map global_policy
  class inspection_default 
    inspect dns

Hairpinning is quite different from this.... DNS doctoring would do your requirement.


in older 7.2 version


global (inside) 1 interface

nat (inside) 1 <Local LAN Subnet>

!--- The NAT statement defines which traffic should be natted.
!--- The whole inside subnet in this case.

static (inside,outside) <public IP> <private ip> netmask

!--- Static NAT statement mapping the WWW server's real address to a public 
!--- address on the outside interface.

static (inside,inside) <public IP> <private ip> netmask

for inspect statement on global policy

Configure DNS Inspection

In order to enable DNS inspection (if it has been previously disabled), perform these steps. In this example, DNS inspection is added to the default global inspection policy, which is applied globally by a service-policy command as though the ASA began with a default configuration. Refer to Using Modular Policy Framework for more information on service policies and inspection.

  1. Create an inspection policy map for DNS.

    ciscoasa(config)#policy-map type inspect dns MY_DNS_INSPECT_MAP
  2. From the policy-map configuration mode, enter parameter configuration mode to specify parameters for the inspection engine.

  3. In policy-map parameter configuration mode, specify the maxiumum message length for DNS messages to be 512.

    ciscoasa(config-pmap-p)#message-length maximum 512
  4. Exit out of policy-map parameter configuration mode and policy-map configuration mode.

  5. Confirm that the inspection policy-map was created as desired.

    ciscoasa(config)#show run policy-map type inspect dns
    policy-map type inspect dns MY_DNS_INSPECT_MAP
      message-length maximum 512
  6. Enter policy-map configuration mode for the global_policy.

    ciscoasa(config)#policy-map global_policy
  7. In policy-map configuration mode, specify the default layer 3/4 class map, inspection_default.

    ciscoasa(config-pmap)#class inspection_default
  8. In policy-map class configuration mode, specify that DNS should be inspected using the inspection policy map created in steps 1-3.

    ciscoasa(config-pmap-c)#inspect dns MY_DNS_INSPECT_MAP
  9. Exit out of policy-map class configuration mode and policy-map configuration mode.

  10. Verify that the global_policy policy-map is configured as desired.

    ciscoasa(config)#show run policy-map
    !--- The configured DNS inspection policy map.
    policy-map type inspect dns MY_DNS_INSPECT_MAP
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect dns MY_DNS_INSPECT_MAP
    !--- DNS application inspection enabled.
  11. Verify that the global_policy is applied globally by a service-policy.

    ciscoasa(config)#show run service-policy
    service-policy global_policy global





DNS doctoring will not work

DNS doctoring will not work as it would seem that the DNS server is located on the local network that the user is connecting from (the DNS request will never pass through the firewall in this case.)

In your post you indicate that is the servers real address, then you have your NAT statement backwards.

the ASA 8.2 and earlier format is as follows

static (real_int,mapped_int) mapped_address real_address

So your statement should look like the following

static (inside,inside)

You will also need to ensure that you have the following command enabled on the ASA

same-security-traffic permit intra-interface


Now having said all this, I still do not think it will work when accessing a webpage due to the asynchronous routing that will occur.  This is because the web server will see the source address as an address on its own subnet and send traffic directly to the inside host instead of back through the ASA.  The host will then send the next packet through the ASA firewall while the ASA will be expecting a different sequence number and think that the packet is spoofed and drop the packet.  A way to get around this is to enable TCP bypass...but this is usually not a recommended solution as it can be a security risk.

As an alternative solution I suggest you create a second DNS entry that resolves to the internal IP of the server for the internal hosts to use.


Please remember to select a correct answer and rate helpful posts


Please remember to rate and select a correct answer
CreatePlease to create content