Firewall/NAT issues on Cisco ASA 5520

Unanswered Question

Dear NetPro folks,

I've been working on a homologation process for the deployment of Cisco ASA 5520 appliances and I've been unable to successfully make use of static NAT/PAT in order to translate services from the outside pool of IP addresses to inside (real) IP addresses (there is no DMZ perimeter at this time; there are "outside" and "inside" interfaces only).

The scenario is as follows:

Cisco ASA:

- Inside:

- Outside:

The pool of registered IP addresses is as follows:

The actual ASA configuration (or at least a small part of it that represents the scope of my issue) is as follows:

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address

object-group service DM_INLINE_TCP_1 tcp

port-object eq 1374

port-object eq 3389

port-object eq ftp

port-object eq ftp-data

port-object eq www

access-list outside_access_in extended permit tcp any host object-group DM_INLINE_TCP_1 log disable

access-group outside_access_in in interface outside

global (outside) 1 interface

nat (inside) 1

static (inside,outside) tcp ftp-data ftp-data netmask

static (inside,outside) tcp ftp ftp netmask

static (inside,outside) tcp www www netmask

static (inside,outside) tcp 3389 3389 netmask

static (inside,outside) tcp 1374 1374 netmask

route outside 1

route inside 1

There are, of course, several other Access Control Lists and Static NAT/PAT entries, and each one of them uses a separate IP address from the global pool (ie.:,, and the objective here is to NAT these registered IP addresses to their respective private ones at some specific ports, from outside to inside (ie.: TCP 22 --> TCP 22). These translations are not working either.

I would really appreciate if someone could possibly help me out. Please find enclosed a drawing and the actual ASA config (the full version of it).

I look forward to hearing from you soon. Thank you in advance!

Best regards.

Leonardo Furtado

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Hello sundar.

Thanks for your help in this matter. I really appreciate it.

Please find enclosed my actual config file (full version). This is what my configuration looks like.

Unfortunately the box had to be decommissioned until we find out what has caused the static NAT issues. I am gonna request my team to issue a 'show run sysopt' and get it back to you shortly.

Thank you!!

Leonardo Furtado

sundar.palaniappan Fri, 10/05/2007 - 15:18


I don't see anything wrong with the configuration. The outside ACL and static are configured correct for the server(s) to be accessed from outside.

I was suspecting may be the proxyarp was disabled on the outside interface as that could present this problem but the configuration appears to indicate the proxyarp is enabled on the outside. Did you try the clear xlate after the configuration was changed?



Hi Sundar,

Once again, thanks for your support!

Well... as a matter of fact, yes, I cleared out xlate after performing the configuration changes. I have also recycled the box a couple of times to see what would happen next, and still nothing at all. I am unable to get it done as it was supposed to.

I guess I should contact Cisco directly in order to determine what the heck is going on with this box! Actually I was just wondering if I had been doing something wrong, configuration-wise, but apparently I am doing the right thing.

I will surely reply to this topic once I find out what has caused these issues.

Thank you for your help, and have a good one!

Best regards,


After a troubleshooting session, we've identified that a Cisco switch was causing all the mess. Configuration-wise, everything looked like perfect. After upgrading its software and rebooting the switch - although preserving all of its original configuration parameters - the issue has gone for good. Indeed, very weird.

I appreciate everybody's help in this matter.



This Discussion