I am using Cisco ASDM for ASA
I have my internal network called soa. My outside interface is called outside. Let's say my outside IP given to me by my ISP isp is y.y.y.y I have a web server inside my network with a static ip of x.x.x.110. I have configured 2 static nat rules (one for http the other for https).
Source is x.x.x.110. Interface is outside, service (http or https).
Maybe I am doing this wrong, but when I run the packet tracer, I choose outside interface and for the source IP I used 8.8.8.8 and the destination ip is my outside IP address, y.y.y.y
When I run that, it shows the packet traversing successfully, using 9 steps.
For my other test, I switch to the soa interface, input an ip on that network, and leave the destination the same. This test comes up with 2 steps and then fails on my access list.
When I see the rule that fails, it is my catch all which is source: any desitnation: any, service: ip action: deny.
What rule do I need to make to allow my soa network access to go out and come back in by my external IP addess (using a domain name attached to that ip in my dns, of course)?
Not sure about Cisco, but on Linux and *BSD this wont work. Even when you try to connect to the external address from the internal network, the packet never passes the external interface as the kernel is too clever, notices his own address and consumes the packet. As the packet never travels through your external interface, the NAT rule for port-forwarding never applies.
Read http://www.openbsd.org/faq/pf/rdr.html#reflect for some (BSD-biased) docs on this.
The external NAT look-up from internal LAN's do not work with either BSD or LINUX. However there is a way to cheat Cisco ASA though the best practices suggest that this must not be done. Use if you absolutely need it. The command syntax for Cisco ASA 8.0.x is:
Accessing internal servers via the public IP address through a NAT router is often called NAT reflection.
Most routers, from your basic home ones up to $1000+ ones support this. Cisco does not.
The best solution is split DNS - where you setup an internal DNS server which has the private IP addresses for your servers instead of the public ones, so clients on the LAN will still have access.