Solved: Inside hosts cannot connect to other inside hosts over external IP

Martijn de Loos · ‎07-22-2015

Hello all,

I have a Cisco 5510 in our office and we have multiple external IP blocks assigned from our ISP. Some of our inside hosts are statically mapped to one of our external IPs over NAT. The problem now is that externally I can for example connect to the hosts over HTTP without any problems but my inside hosts are unable to reach them. They get a timeout. The only way from inside to connect to those hosts is by connecting to the internal IP address. All external addresses don't work from inside.

How can I solve this issue? Alot of our systems like CRM, OWA etcetera are in DNS bound to the external IP addresses of the servers and now lots of office users are complaining they can't reach any of the systems.

Thanks in advance for the help.

mattp0002 · ‎07-22-2015

Martijn,

I believe what you are trying to do requires setting up something called "U-Turn NAT"

Check out this link since you're using an ASA:

http://www.willneumann.net/2009/04/setup-u-turn-hairpinning-on-cisco-asa/

View solution in original post

mattp0002 · ‎07-22-2015

Martijn,

I believe what you are trying to do requires setting up something called "U-Turn NAT"

Check out this link since you're using an ASA:

http://www.willneumann.net/2009/04/setup-u-turn-hairpinning-on-cisco-asa/

Alexey Prilutskiy · ‎07-22-2015

You need to configure dns rewrite (dns doctoring) . ASA will inspect your dns traffic and if it find your external IP in dns responce it will rewrite it with your internal IP from your NAT table. Look on http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html