Cisco ASA - configuring NAT to provide the same service (with different IP address) to external and internal users (DNS NAT)

I had a customer with the following problem:

  • there was a internet service (https webmail) located at his corporate office
  • the URL for this service was an URL like - available and working on internet (NAT on Cisco ASA to internal Webmail server)
  • external users are able to access it normally via internet
  • however, the internal users couldn't access this URL, as the Cisco ASA was blocking this traffic (from inside to inside using the external IP Address as destination)
  • users inside needed to use another URL to access the same service (like https://webmail.internaldomain.local)
I found on Cisco website a document with examples of problems with ASA/NAT internal services, including this problem. 

The solution for this problem is very simple: you can create a NAT configuration that only applies to internal users trying to access an internal URL via the external IP address. Follow the example on Cisco site:

Step 1: Create a network object for the FTP server address:
hostname(config)# object network FTP_SERVER

Step 2: Define the FTP server address, and configure static NAT with DNS modification:
hostname(config-network-object)# host
hostname(config-network-object)# nat (outside,inside) static dns

Just needed to create these NAT rule with the static NAT using the external an internal IP Addresses. In my case, it was not a FTP, but a https webmail. But the config is the same.

With this config, internal users can access the outside URL (like but using the internal IP Address, and this will be transparent to them.

More problems with differents topologies like this can be found at: