ASA 5505 static nat issues

Unanswered Question
Nov 9th, 2007

Hi there!

For the last two days i'm working on some very strange issue regarding 'static' or '1:1' mapping. Here is the scenario:

I have one firewall (ASA 5505) with two interfaces (vlan1 - which is the 'inside' and vlan2 - which is the outside) Vlan1 has default security level100 and vlan2 with security level 0. So, i have an ip address configured on vlan2 ( with gateway . On the other interface i have configured ip addres +ASA+ outside)

Behind vlan1, i have network station with ip address The goal is to achieve two-way NAT (static) for all packets going from to be translated into public ipv4 ip x.x.x.x. For this i'm using the static command with following arguments:

static (inside,outside) x.x.x.x netmask

And here is where my problems started. From inside to outside (i mean traffic initiated from everything looks fine. The address is translated into x.x.x.x and it works fine. BUT when i try to reach the ip address x.x.x.x from ip located behind outside interface (let's say from the traffic IS NOT redirected to address (which the command static should process) but it's have been processed by the ASA itself like the traffic is destined for (which is the outside ip address of the firewall). I have configured access-list which permits ip from any to any (with testing purposes) applied as an access-group for inbound traffic to outside interface:


access-list outside_access_in extended permit ip any any

access-group outside_access_in in interface outside


Does anyone can give me a clue, because i'am getting desperate! What should i do to stop the ASA processing this traffic which should be redirected/translated? One more thing. I did a network scan with nmap software to check the open ports of the ASA: (here is the result)


21/tcp open ftp

23/tcp open telnet

80/tcp open http

443/tcp open https

8080/tcp open http-proxy

Which application is using the http-proxy port? Because my problems starts here (traffic destined to x.x.x.x is with dst port 8080, so i believe there must be a reason for ASA to process it by itself)

Best Regards,

Danail Petrov

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pszczola1 Sun, 11/11/2007 - 20:17

I guess you must have a router after the firewall. It's hard to advise without the picture of the whole architecture. I used ASA 5505

with the following architecture:

Inside Network or vlan 1> ASA > DSL Model

How many public addresses do you have available?

Do you have any other translations (PAT?)

Why not to give a public address to the outside interface of ASA instead of ?

The setting: private address on inside, public address on outside should fix the problem.


This Discussion