Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Traffic from inside that references the outside interface IP


     I have an ASA 5505 running 9.0 in routed mode. I have everything working fine with the exception of one item. I've set up port forwarding for the services that I need to have running such as HTTP, FTP, SSH, RDP etc... They all work from outside of the ASA, however if I were to reference the the webservers URL internally, it will not work.  So externally works however, if I use this same URL behind from a host on the inside interface it will not work.  I also cannot ping the external interface from inside the network, but can from outside of the ASA.  My outside interface is obtaining an IP address via DHCP from my provider.  My config is below.

Thanks in advance for any input!


ASA Version 9.0(1)


hostname tazasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session permit tcp any4 any4

passwd lUgE9AXej18.2X7v encrypted



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


boot system disk0:/asa901-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network centos_www


description centos_www

object network NAS_FTP


description NAS_FTP

object network centos_ssh


description centos_ssh

object network Remote_Desktop_2


description Remote_Desktop_2

object network Remote_Desktop_1


description Remote_Desktop_1

object network Drive_CAM


description Drive_CAM

object network Door_CAM


description Door_CAM

object network ebooks_gateway


description ebooks_gateway

object network Linksys_phone


description Linksys_Phone

object network Inside_network


description Inside_Network

object network obj_any


description obj_any

object network xbox_3074_tcp


description xbox_3074_tcp

object network xbox_3074_udp


description xbox_3074_udp

object network centos_tftp


description centos_tftp

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list global_access extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected


object network centos_www

nat (any,outside) static interface service tcp www www

object network NAS_FTP

nat (any,outside) static interface service tcp ftp ftp

object network centos_ssh

nat (any,outside) static interface service tcp ssh ssh

object network Remote_Desktop_2

nat (any,outside) static interface service tcp 3390 3390

object network Remote_Desktop_1

nat (any,outside) static interface service tcp 3389 3389

object network Drive_CAM

nat (any,outside) static interface service tcp 9101 9101

object network Door_CAM

nat (any,outside) static interface no-proxy-arp service tcp 9100 9100

object network ebooks_gateway

nat (any,outside) static interface service tcp 8888 8888

object network Linksys_phone

nat (any,outside) static interface service tcp sip sip

object network Inside_network

nat (any,outside) static interface

object network obj_any

nat (inside,outside) dynamic interface

object network xbox_3074_tcp

nat (any,outside) static interface service tcp 3074 3074

object network xbox_3074_udp

nat (any,outside) static interface service udp 3074 3074

object network centos_tftp

nat (any,outside) static interface service udp tftp tftp

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

route inside 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http inside

http inside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

username ****** password nWdS.kwFG0AJMUCx encrypted privilege 15


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect http


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable


Super Bronze

Traffic from inside that references the outside interface IP


Seems like a problematic situation to me.

Usually one easy way to is to use DNS rewrite so that the when the client asks the DNS server for the public IP address of the server then the ASA would modify the DNS reply to actually point to the local IP address of the server before returning the DNS reply to the client. But as you are using Static PAT (Port Forward) then this to my understanding is not possible.

One other usual option is to do a special NAT so that you can connect to the server from your LAN with the public IP address but since you mention that your ASA gets its public IP address with DHCP we really dont have a way of knowing if the IP address will change at some point (usually it tends to say the same, for me atleast) and would make the NAT configurations useless.

You might therefore want to consider modifying the clients local settings so that they connect to the local IP address the server when you connect to the certain DNS name. On Windows hosts this can naturally be done with the host file.

- Jouni

CreatePlease to create content