Thank you Karsten for the Answer.

1. I can’t accept the #1 as a solution. Though it is pretty easy to implement, it is an “special action” that alter normal network behavior. I have never faced this problem before, any other router from windows server to tiny hardware home router does not have this problem, only ASA have.

So I prefer to fix ASA’s behavior instead of changing everything around it.

2. Solution #2 does not make sense as Primary DNS for our company domain is hosted by domain register.

3. I want to focus on a solution #3. Could you please give me a good example of NAT command for ASA according to my example? I have tried several examples from Internet, none of them have worked, as the situation was slightly different. And I don’t have enough experience to adopt it to my situation.

1) You can't fix the ASA behavior here as this is how the ASA works. And yes, it's different compared to many other devices.

2) Here it is not important where your domain is hosted. As the FQDN in question is a public FQDN, it is most common that it is hosted publicly. The ASA only has to see the DNS request/reply to do DNS-doctoring.

3) That would look like the following:

nat (LAPTOP-INT,SERVER-INT) source static obj-LAPTOP-NET obj-LAPTOP-NET destination static obj-PUBLIC-IP obj-PRIVATE-IP service obj-HTTP obj-HTTP

Ok, I have tried dns Doctoring, it works. But it is basically the same as solution #1, we faking dns respond in different ways. The solution is not bad, it works, but it covers not all the situations.

We have, for example, smartphone app, which establishes connection to internal web server over public IP. The solution #1/#2 does not help in this case.

So I have tried following:

object network obj-LAPTOP-NET
subnet 192.168.2.0 255.255.255.0

object network obj-PUBLIC-IP
host XXX.XXX.XXX.XXX

object network obj-PRIVATE-IP
host 192.168.2.1

object service web_80
service tcp destination eq http

object service web_443
service tcp destination eq https

nat (inside-10,inside-10) source static obj-LAPTOP-NET obj-LAPTOP-NET destination static obj-PUBLIC-IP obj-PRIVATE-IP service web_80 web_80
nat (inside-10,inside-10) source static obj-LAPTOP-NET obj-LAPTOP-NET destination static obj-PUBLIC-IP obj-PRIVATE-IP service web_443 web_443

and it does not work. Probably because web-server and Users/Laptops are in the same VLAN.

> We have, for example, smartphone app, which establishes connection to internal web server over public IP. The solution #1/#2 does not help in this case.

That can be changed.

> and it does not work. Probably because web-server and Users/Laptops are in the same VLAN.

Well, that is a different scenario than the one you asked for. For this to work you also need to do source-NAT:

nat (inside-10,inside-10) source dynamic any interface destination static obj-PUBLIC-IP obj-PRIVATE-IP service web_80 web_80

As I had a time pressure, I have to implemented solution #1.
But I will try with source and destination NAT.

Thank you!

As already mentioned, I consider solution 1 and also solution 2 as much better then solving that with NAT. NAT-workarounds make the firewall-config more complex and that is not good for security. The root of the problem is not the behavior of the ASA but the client using the wrong IP address (because the IP of the server is private). Both is solved with 1) and 2).

I agree. But before ASA we did not have this issue. Then suddenly I had to change lots in network around ASA.

I personally don’t like the fact, that you can’t reach you own interface, even if it is normal behavior. I believe, that nothing should be blocked unless Administrator do it, so there is less potential for problems. You may call it ISP logic.

With solution #1 I have actually increased complexity of a system, now I must be aware of a DNS exception, have to organize DNS access for gust networks, and exclude DNS access for guest networks over VPN. Instead of fixing it in one point and forever. This solution is really pain in the ass, but I have already implemented it.