Static NAT on ASA5505

Unanswered Question
May 27th, 2008


i am trying to configure static nat for one address and as soon as i add the nat rule the internal host stops seeing the outside world. what have i forgotten to do?

All help greatly appreciated, First timer!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gregwilmot Tue, 05/27/2008 - 23:28

Hi thanks for your interest here you are.

ASA Version 7.2(3)


hostname N***********

domain-name d***********

enable password xxx



interface Vlan1

nameif inside

security-level 100

dhcp client update dns

ip address


interface Vlan2

nameif outside

security-level 0

ip address 6**.***.***.2


interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS



domain-name *****************

same-security-traffic permit intra-interface

object-group network Trusted-LAN-Hosts

network-object host

network-object host

network-object host

network-object host

access-list inside_access_in extended permit tcp any eq www

access-list inside_access_in extended permit udp any eq domain

access-list inside_access_in extended permit udp any eq isakmp

access-list inside_access_in extended permit tcp any eq ldap

access-list inside_access_in extended permit tcp any eq https

access-list inside_nat0_outbound extended permit ip

access-list outside_access_in extended permit esp any 6**.***.***.0

access-list outside_access_in extended permit gre any 6**.***.***.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Remote-pool mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

static (inside,outside) 6**.***.***.10 netmask

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 6**.***.***.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

gregwilmot Wed, 05/28/2008 - 07:48


I also have dug this out if it helps

Result of the command: "sh running-config nat"

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

All I need to do is set NAT for a couple of IP for a couple of services.

thanks all for yyour assitance in advance.


acomiskey Wed, 05/28/2008 - 07:55


Could you be more specific about your problem. Config looks fine.

gregwilmot Wed, 05/28/2008 - 23:26

Ok the issue is I need to NAT a couple of address'. with it all configured as above the issue is as follows; the hosts that have the NAT address cannot access the outside network (internet) nor can the outside see the selected services that have been set for them.

I have run Packet tracer for www packets out and it fails on an access list which is the system default deny any any Implicit rule.

I have rules that allow www from inside and they work fine when there are no NAT configured address' I have conpared this with another ASA that works and can't see any difference.

I am lost at this point and all help is greatly appreciated.



solpandor Thu, 05/29/2008 - 01:31


would you please clarify why you have both the .10 n/w and the .2 n/w in your no nat statement? What network are the users (who cant access the outside) on? Also, have you ran the Live log in debugging mode to see why the packets are being dropped?

access-list inside_nat0_outbound extended permit ip

gregwilmot Thu, 05/29/2008 - 02:17


the access-list inside_nat0_outbound extended permit ip refers to the vpn tunel that is in place between the two networks.

static ip address' from the .10 network can not access the outside world ( internet )

solpandor Thu, 05/29/2008 - 05:10


try changing the seq number of your nat's (not your statics). as seq 0 is a no nat and seq1 is then asking the same network .10 to to be translated.

Have you tried using the Live Log viewer? try this and let me know how you get on



gregwilmot Fri, 05/30/2008 - 00:25


thanks for that. I have looked at the live viewer and it doesn't display any deny's etc. it does display the tear down on the particular NAT address. so this would say to me it is getting out but the response is not getting back in. I am not sure really.

how do i change teh seq no's?

thanks for your assistance.



This Discussion