PAT on ASA 5520

Unanswered Question
Jan 31st, 2008


I am trying to configure PAT on our ASA. I've been reading through the following documentation but can't seem to get things working right

What I'm trying to do is forward all traffic for port 32 on the outside interface to port 22 on the inside interface.

I've tried different variations on the following but nothing seems to work.

static (inside,outside) tcp 32 ssh

Any advice would be most helpful.


Seth Miller

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
oszkari Thu, 01/31/2008 - 14:11

try this:

static(inside, outside) tcp interface 32 x.x.x.x 22 netmask

where x.x.x.x is the ip address of the pc in the inside lan to which you want the ssh access.

ps: dont't forget, you will also need an access-list which will permit the traffic to 32 port on the outside interface.

access-list inbound_traffic extended permit tcp any interface outside eq 32

access-group inbound_traffic in interface outside

seth.miller Thu, 01/31/2008 - 15:43

Thanks, but is it not possible to port forward without specifying an IP address? With iptables I could do the following to achieve this

-t nat -A PREROUTING -p tcp --dport 32 -j REDIRECT --to-ports 22

I'm still learning the Cisco IOS so I can't think of the equivalent or even if it's possible.

The problem is that I want to redirect port 32 to hundreds of IPs on different blocks internally. I think it'd be easier to just forward based on port.


Seth Miller

mlenco Sat, 02/02/2008 - 19:18

To configure static PAT, enter one of the following commands. •For policy static PAT, enter the following command:

hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq] [udp udp_max_conns]

Identify the real addresses and destination/source addresses using an extended access list. Create the extended access list using the access-list extended command (see the “Adding an Extended Access List” section on page 16-5). The protocol in the access list must match the protocol you set in this command. For example, if you specify tcp in the static command, then you must specify tcp in the access list. Specify the port using the eq operator.

The first address in the access list is the real address; the second address is either the source or destiniation address, depending on where the traffic originates. For example, to translate the real address to the mapped address when sends traffic to the network, the access-list and static commands are:

hostname(config)# access-list TEST extended tcp host eq telnet

hostname(config)# static (inside,outside) tcp telnet access-list TEST

brandon.smith Wed, 03/12/2008 - 18:51


This is almost what I am looking for. The only modification I need to this is that I need to add port redirection to the static policy PAT you have shown above. For example, I need an external source IP address to be able to send FTP traffic to a translated address on port 21, but then have the ASA redirect 21 to 13000 on the inside FTP server because that's what it is really listening on. And I need this behavior to work only for one specific external IP address, which is where the policy PAT comes in. Is this possible?

jkeddington_2 Wed, 03/12/2008 - 21:23

I have been able to configure port redirection on an ASA and this is how I did it: "static (inside,outside) tcp interface 61399 172.31.1.x 61399" What this NAT statement does is redirect all traffic destined to the outside interface on port 61399 and redirects to an internal host on port 61399. If that is what you are looking for then you can use that statement by changing it to match how your firewall is configured and it should work.

brandon.smith Thu, 03/13/2008 - 06:10

I've used that form before and so I'm familiar with its use. However, I need to be able to redirect one port from the translated address to a different port on the inside address AND have this only happen only when the traffic is being sent from one specific source IP address on the Internet. Can this be done?


This Discussion