Cisco ASA - configuring NAT to provide the same service (with different IP address) to external and internal users (DNS NAT)


I had a customer with the following problem:

  • there was a internet service (https webmail) located at his corporate office
  • the URL for this service was an URL like https://webmail.externaldomain.com - available and working on internet (NAT on Cisco ASA to internal Webmail server)
  • external users are able to access it normally via internet
  • however, the internal users couldn't access this URL, as the Cisco ASA was blocking this traffic (from inside to inside using the external IP Address as destination)
  • users inside needed to use another URL to access the same service (like https://webmail.internaldomain.local)
I found on Cisco website a document with examples of problems with ASA/NAT internal services, including this problem. 

The solution for this problem is very simple: you can create a NAT configuration that only applies to internal users trying to access an internal URL via the external IP address. Follow the example on Cisco site:

Step 1: Create a network object for the FTP server address:
hostname(config)# object network FTP_SERVER

Step 2: Define the FTP server address, and configure static NAT with DNS modification:
hostname(config-network-object)# host 209.165.201.10
hostname(config-network-object)# nat (outside,inside) static 10.1.2.56 dns

Just needed to create these NAT rule with the static NAT using the external an internal IP Addresses. In my case, it was not a FTP, but a https webmail. But the config is the same.

With this config, internal users can access the outside URL (like https://webmail.externaldomain.com) but using the internal IP Address, and this will be transparent to them.

More problems with differents topologies like this can be found at: https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_objects.html#wp1140517

Comments