can not get nat to work with asa5505

Unanswered Question
Nov 17th, 2008
User Badges:

Hello everyone,

I have been busy for a few day to try to set up the NAT with asa5505.Please see the attachtment for the configuration of the modem and the asa.

Hopefully someone can help me out.

Thanks in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 11/17/2008 - 12:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Your going to have to tell us what you are trying to setup in terms of NAT and what is not working.


John Blakley Mon, 11/17/2008 - 13:24
User Badges:
  • Purple, 4500 points or more

I looked at your config and I'm assuming a couple of things (because this is the way that I have it set up at my house).

You have a router in front of the ASA, and you want your ASA to filter traffic that comes in from the router, so you have something like this:

Host --> ASA --> Router --> DSL --> Internet

IF I'm right, then I would suggest not natting at all. Your inside interface on the router is: and your public interface on the ASA is

Make sure that you can ping your router from the ASA:

ping outside

If you do that, then in your NAT configuration on the ASA:

no global (outside) 1 interface

no nat (inside) 1 0 0

You should be able to ping from an inside host out. Your route is set up correctly from the ASA.

If this ISN'T what you are needing, then yeah, you should let us know like Jon requested. :-)



rijperwaard Sat, 11/22/2008 - 06:18
User Badges:

Hello John,

Thanks for your reply.

I can internet from any hosts behind the inside interface of asa. The problem is:

behind the inside interface there is a terminal server. The terminal users have to log on to it from anywhere. I can not fix it out how/where i should place the translation rule.

Hopefully you can help me out.

Thanks in advance.


John Blakley Sat, 11/22/2008 - 06:33
User Badges:
  • Purple, 4500 points or more

Try this:

static (inside,outside) interface netmask

On your public ACL:

permit tcp any interface outside eq 3389

What this does is tell the ASA to use the outside interface IP address as the public IP. In the public ACL, you're allowing anyone to come into the public IP address on port 3389 (terminal services). If you have a block of ip addresses, you can give any one of your addresses out of that block an assignment and forget about the "interface" keyword. In the following example, is the public ip address.

static (inside,outside) (private ip) netmask

In public ACL:

permit tcp any host eq 3389

Once you complete this, clear your translate table for it to take effect:

clear xlate



John Blakley Sat, 11/22/2008 - 07:44
User Badges:
  • Purple, 4500 points or more

I'm not sure if this will work, but try the following:

On the router:

ip access-list ext EXTERNAL

permit tcp any any eq 3389

route-map TS permit 5

match ip address EXTERNAL

set ip next-hop

I'm not GREAT with policy maps, so I'd be interested in seeing if this works. How are you trying to get to the terminal server?


John Blakley Sat, 11/22/2008 - 07:58
User Badges:
  • Purple, 4500 points or more

I forgot to mention that you need to apply this policy map to the outside interface on your router:

int dialer0

ip policy route-map TS



rijperwaard Sat, 11/22/2008 - 08:02
User Badges:

no, it's still not working.

I use RDP to connect the terminal server.


John Blakley Sat, 11/22/2008 - 08:16
User Badges:
  • Purple, 4500 points or more

Do you have a topology diagram or something that you can draw up quickly? Where are you in relation to the terminal server? Are you in front of the router or behind the ASA?

host -> router -> asa -> terminal server

router -> host -> asa -> terminal server

router -> asa -> host -> ts


rijperwaard Sat, 11/22/2008 - 09:13
User Badges:

Still not working.

The terminal server is behind the asa. It looks like:

dsl->router(dialer interface,>asa(outside[],inside[]->host (ts)


John Blakley Sat, 11/22/2008 - 09:16
User Badges:
  • Purple, 4500 points or more

Where are you at in the picture? On the DSL side going into the network, or ASA side going out?


rijperwaard Sat, 11/22/2008 - 09:44
User Badges:

The problem is on the DSL side going into the network.

By the way, inside out everything is ok.


John Blakley Sat, 11/22/2008 - 10:23
User Badges:
  • Purple, 4500 points or more

Understood. You won't be able to test this from behind the ASA. In other words, if your connected to a switch or directly to the ASA, you can't go out to the internet and back into your public interface to test it; it won't work. You'll need to do this from another computer that's completely outside of your network.

That said, can you do a sh ip nat trans on the router, and a sh xlate on the ASA and post the results back. Again, if you're trying to test it from within your network and coming back in, it won't work.

rijperwaard Sat, 11/22/2008 - 14:41
User Badges:

Hello John,

Thanks for all your help and time.

I got the problem resolved. I did two things wrong. The first one was the access rule in asa, the second was the translation rule in the router.

Now the asa is working. The next step is try to get the vpn working.

Thanks again.


rijperwaard Sat, 11/22/2008 - 06:28
User Badges:

That is right, Jon.

NAT is working. Anyone can get access to the internet behind the inside interface of asa.

The problem is the translation rule. Behind the inside interface ther is a terminal server. I have no idee how/where i should configure the translation rule.

interface cisco 837



ip route dialer0

Nat: interface dialer0

Interface asa5505



ip route

no nat



This Discussion