Cisco Support Community
Community Member

ASA5505 - Inside hosts accessing ASA's external interface.

Hello everyone,


I'm struggling with the following issue for days and would very much appreciate your help:


I have a ASA5505 that does NAT for inside hosts for internet access and also forwards some ports from the external interface to an inside host server (tcp 25, 80, 143, etc). I need my inside hosts to be able to access the inside server via its external DNS name (, so we can have a single configuration in our e-mail clients (smtp server: that would work both from the Outside (Internet) and the internal LAN. 


The ASA however discards the packets, packet-tracer shows the following:


Note: 82.79.xx.xx is the ASA's external IP address where there is some port forwarding (NAT) done to an internal server (port 143, 25, others)


# packet-tracer input Company_LAN tcp 11000 82.79.xx.xx 143 detailed

Phase: 1
Result: ALLOW
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb343210, priority=1, domain=permit, deny=false
        hits=145773, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Company_LAN, output_ifc=any

Phase: 2
Subtype: input
Result: ALLOW
Additional Information:
in   82.79.xx.xx identity

Phase: 3
Result: DROP
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb343890, priority=0, domain=permit, deny=true
        hits=1175, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=, mask=, port=0
        dst ip/id=, mask=, port=0, dscp=0x0
        input_ifc=Company_LAN, output_ifc=any

input-interface: Company_LAN
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


I'm pretty sure this is some default ASA behavior or default ACL which i'm not aware of..

Any advice is greatly appreciated !


Everyone's tags (1)
VIP Purple

This feature is not available

This feature is not available on the ASA. But there are two "native" ways to solve that problem:

  1. Configure on your internal DNS with the internal IP.
  2. Use DNS-doctoring. For that you add the keyword "dns" to the NAT-statement for your internal server. But that works only with 1:1 NAT and not with port-forwarding.


Community Member

Thank you for your advice. 

Thank you for your advice. 


There is no internal DNS Server at the moment, clients are configured to access DNS servers provided by the ISP. I have found some documentation on "NAT Hairpinning", is this a solution applicable to ASA software version 8.4(2)? If so, can you please provide one example command?


Edit: perhaps a static nat to redirect any requests from inside hosts for the ASA's external IP 82.79.xx.xx to internal server?

Thank you,

Community Member

Solved via following set of

Solved via following set of commands:


!--- Enable Hairpinning
same-security-traffic permit intra-interface

object network Company_Network

object network
 host 82.79.xx.xx

object network Company_Server

 nat (Company_LAN,Company_LAN) source dynamic Company_Network interface destination static Company_Server

CreatePlease to create content