How do I reach my internal server on the external IP?
The ASA firewall can not route traffic. You need to masq the inside address against the external address.
Solution 1: DNS doctoring with static NAT
Let's say your external website IP address is 1.2.3.4, wich then again is port-forwarded (or directly NAT'ed) to the internal IP address 192.168.0.10. With DNS doctoring, the following will happen:
- The client on the inside requests http://www.companyweb.com, wich originally translates to 1.2.3.4
- The ASA intercepts the DNS reply packet, and replaces the A-record with 192.168.0.10
- The client gets very happy, as it now can open up the company web site :-)
For more detailed info on how you enable this: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Solution 2: Internal DNS server
This one is useful if you only have one external IP, and you port-forward this IP to many internal services on different servers (Let's say port 80 and 443 goes to 192.168.0.10, port 25 goes to 192.168.0.11 etc).
It requires no configuration change on the ASA, but it will require you to duplicate your external domain on a internal DNS server (Active Directory has this built in). You just create the exact same records as you have now, only with internal IP's on the services you have internally.
"Solution" 3: DMZ interface with public IP's
I'm not going to get into much details on this one, as it requires you to get a subnet of IP adresses from your ISP routed to your ASA. It's very hard these days with the IPv4 starvation.
As other similar questions are being marked as duplicates with a reference to here, I wish to complement the excellent answer by @pauska with a 4th option.
Solution 4: Routing the traffic through NAT Hairpinning
Allowing traffic back through an interface on a Cisco PIX/ASA appliance, such as when a nat:ed client accesses a nat:ed server through its public ip is called NAT Hairpinning by Cisco.
It uses essentially the same configuration parameters as usual for nat and port forwarding, but with the addition of this command:
same-security-traffic permit intra-interface
and a second static mapping for inside-to-inside traffic to the server:
static(inside,inside) i.i.i.i x.x.x.x
This is described in detail complete with a configuration example here for a two-interface design: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2
And here is a Destination NAT alternative for a three-interface design: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#solution2