Showing results for 
Search instead for 
Did you mean: 

How to allow inside hosts access to talk to ASA public IP

William Reed
Level 1
Level 1



I have several NATed ports on my ASA to inside hosts. However from the inside if i try to ping my ASAs outside IP address I get no response.


How do I allow this IP communication from devices on the inside of the ASA?

9 Replies 9

Vibhor Amrodia
Cisco Employee
Cisco Employee


Firstly , ping to the ASA outside interface would not work from the Internal Hosts. This is by design.

If you have a static PAT for some ports on the ASA device , you can use Packet tracer to test if the configuration is correct.

Packet Tracer:-

Thanks and Regards,

Vibhor Amrodia

The config is correct as hosts on the internet can connect to the NATed hosts in which ports I allow.


I just cant access those devices from inside hosts using the public IP.


Do you still want me to test something? I can.

Anyone else?

William Reed
Level 1
Level 1




I guess you would want to connect to hosts on the Internal LAN by using their outward facing public NAT IP address? Are we talking about a Static NAT or Static PAT (Port Forward) configuration? Just wondering as you mean ping. Even under normal circumstances you could not ping through a Static PAT translation. It would need to be a 1:1 Static NAT between the 2 IP addresses.


The normal configurations are not enough to achieve this as the NAT is only performed towards the interface that the command specifies.


Let say you have "inside" and "outside" interfaces and there is an existing Static NAT for a server towards the external network. This would not enable communication to the public IP address from anywhere else other than behind the "outside" interface.


What you need to do is configure a NAT from "inside" to "inside" where you translate the server local address to the public IP address. This is NOT enough though. You will also have to translate your users source subnets behind "inside" interface to the "inside" interface IP address (for example).


This is because if your only translate the server the connection would come to the ASA and it would forward it to the server (after it untranslates the public  IP address to the local one) but when the packet comes to the server it would see the traffic coming from the actual local source address of the user and forward it directly to the user (or perhaps through some router on the LAN). The user and server would not even be able to form the TCP connection as the flow of traffic would be wrong. (Server would reply with its local IP address rather than the public IP address as the reply traffic would not go back through the ASA, this is why we would need the source address translation on the ASA also)


The above of course presumes that your users are behind the same interface as the server with the NAT. If your users are actually behind another local interface of the ASA then naturally you would just have to NAT the server to its public IP address towards the user interface. Before doing anything like this you would have to confirm that there is no software/application that is currently connecting to the server with its local IP address as this would break by performing the public NAT.


I am not sure how this would be done in your situation since we don't know your ASAs software level and how its configured currently. So I can't really provide you with an example configuration.


Hope I made any sense.


- Jouni

They are static PAT port forwards. I am just saying ping but I am trying to connect to services such as 443, 80, 25, etc.


I will try what you suggest. I believe you understand what I am trying to do.

Are the servers / PC's you are trying to access via public IP also located on the inside interface?  I mean, are both the PC you are connecting from and server / PC you are connecting to both located on the same subnet?  If so you could also be running into asynchronous routing issues which by default is dropped by the ASA.


Please remember to select a correct answer and rate helpful posts

Please remember to select a correct answer and rate helpful posts

I am running code 9.1.3.


I can post my scrubbed config if you like.

I'm trying to configure an ASA 5506 (ver. 9.8.1) to allow a device on the inside interface (smartphone connected to local network via wi-fi) to access an NVR (network video recorder) that is also on the same inside interface, however, I would like to accomplish this by using the outside interface address.


Currently I have NAT & ACL setup to allow a user that is off-site (over the internet) to connect to the NVR using the outside IP address that is nat'd to the inside address of the NVR; it is working great. My problem is when a user is on-site and connected to the wi-fi, the smartphone app (configured with the outside IP address) will not connect.


Side note: The current NAT (inside, outside) rule is configured to use TCP port 8000 (port 8000 is an example, actual port is different).


When the user is connected to the inside network via local wi-fi, and I insert the internal IP address of the NVR into the smartphone app, it obviously works. Simple enough, however, my customer does not understand networks and they expect to be able to open the smartphone app and pull up the cameras whether they are connected to the local wi-fi, or when they are halfway around the world on business. I could setup two connections in the smartphone app (local cameras & remote cameras), but I need it to pull up the cameras using only the outside IP address regardless of whether the user is connected to the inside interface orthey are connecting from the outside world thru the outside interface.


I have successfully set this up in the past on a Cisco ASA 5505 using nat (inside, inside) and it worked great. I've also heard of this being referred to as hairpin or loopback routing.


Can someone give me a configuration example of how to make this work? Thanks in advance!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card