Hello Everyone

Recently, I deoplyed ASA 5520 as our company firewall, everyting was working fine except two main problem I still can not resolve them after I did a lot of research. I hoped someone could help me out or give some ideas.

1. DNS rewriting - The internal user can not access the DMZ or internal server by put in the domain or external ip address. such as https://domain.com will resolve our wan ip address 210.0.0.83 ( internal ip address is 192.168.1.21 ).

I used static (inside,Outside) tcp 210.0.0.83 https 192.168.1.21 https netmask 255.255.255.255  dns, but it will not work. We have our internal DNS server, but don't want to just add the domain as a record. Is there anyway to get the internal user to access Internal server and DMZ server through the public domain?

2. We also have an internal multiple subnet, another router was conneting to ASA firewall inside interface and using ip address 192.168.1.223, another subnet 10.1.15.16/28 is behind the this router, for the users in subnet 192.168.1.0/24, they connect firewall inside interface directly.

I added an static route and intra-interface permit

route inside 10.1.15.16 255.255.255.240 192.168.1.223 1
same-security-traffic permit intra-interface

I also added
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.15.16 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.1.15.16 255.255.255.240 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

The internal users on 192.168.1.0/24 can ping 10.1.15.18 but can not telnet to 10.1.15.18 22.

If I set 192.168.1.223 as one of the workstation on 192.168.1.0/24 default gateway, it can telnet to 10.1.15.18 22 without any problem.

Really getting stuck on these main problem, please someone help me out.

Thank you very much.