Perfect. I picked that up from another thread (that I think you even answered). IMHO Cisco should add this in as an optional step in the SSL VPN examples.

Do you know if its possible to access statically natted hosts from the inside via their external IPs?

Ie, host1 is statically natted, hosts2-10 are not and they resolve host1's http URLs by the external IP (name resolution is happening internal and not passing through the firewall), but they cannot hairpin through the firewall to connect via the external IP.

So if I understand correctly, a host on the inside tries to access yourdomain.com, which resolves to an external ip. This external ip is translated in your firewall to an internal ip. To get this to work, the setup would be something like this...

webserver inside ip = x.x.x.x

webserver external ip = y.y.y.y

inside host subnet = z.z.z.z/24

same-security-traffic permit intra-interface

static (inside,inside) y.y.y.y x.x.x.x netmask 255.255.255.255

global (inside) 10 interface

nat (inside) 10 z.z.z.z 255.255.255.0

That should do the trick.

That worked like halfway.

It allowed me to access the inside host via its external address, but then I couldn't get to anything else and the log reported:

3 Feb 21 2008 19:42:27 305006 71.5.102.254 portmap translation creation failed for tcp src inside:192.168.1.44/1221 dst outside:71.5.102.254/1234

Could you post your config?

Sure. I added the output of "show tech support".

You're a genius, that seems to work perfectly.

I swear I look at these NAT rules and they make sense and then I try to do something and I'm lost.