Hosts in 192.168.3.0/24, 192.168.4.0/24 need to connect to https://1.1.1.100/
https://1.1.1.100/ is mapped to 192.168.3.7
It's kind of hairpin traffic, or U-turn traffic.
Internet user can access http://1.1.1.100/ without any issue. But internal user couldn't.
Here is the configuration
ASA Version 8.4(2)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.4.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list outside_access_in extended permit tcp any object svr-192.168.3.7 eq https
access-list inside_access_in extended permit ip any any log disable
!
object network svr-192.168.3.7
nat (inside,outside) static ip-1.1.1.100 service tcp https https
object network subnet-192.168.3.0-24
nat (inside,outside) dynamic 1.1.1.3
object network subnet-192.168.4.0-24
nat (inside,outside) dynamic 1.1.1.4
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map type inspect esmtp esmtp_inspect_map
parameters
match sender-address length gt 320
log
match MIME filename length gt 255
log
match cmd line length gt 512
log
match cmd RCPT count gt 100
log
match body line length gt 998
log
!
service-policy global_policy global
