On an Cisco ASA, if you have an internal server with a NAT rule to the outside interface, you will not be able to access this server from the inside.
There are two solutions to resolve this problem:
- You can use DNS doctoring by doing the following (cannot be used with PAT rules):
In ASDM go to: configuration -> Firewall -> NAT Rules -> Edit Static NAT -> Connection Settings and check the “Translate the DNS replies that match the translation rules”.
- Activate traffic between two interfaces (Hairpinning with static NAT):
In ASDM go to: Configuration -> Device setup and check the “Enable traffic between two or more hosts connected to the same interface”
For a PAT rule, create a new static PAT under “NAT Rules”.
Source: internal server
Use IP Address: external IP to outside interface
If a PAT rule is used on the other NAT rule, then use the same settings there too.
- Additionally we have to change the dynamic NAT rule that translates the internal ip-address to the outside interface.
Edit Dynamic NAT Rule -> Manage -> Add and then add a new Global Address Pool:
Port Address Translation (PAT) using IP Address of the interface
DNS doctoring should be used instead of hairpinning because it doesn’t increase the volume of traffic for the firewall.
Source for DNS doctoring and hairpinning configuration: