ASA - Port based NAT'ing of outside source addresses

Unanswered Question
Feb 24th, 2009

I am in the process of migrating web services from Checkpoint to ASA. Can I NAT the source address of incoming packets destined for a web server on port 80? The intent here is to be able to migrate a webserver at a time. NAT'ing of the source address would allow me to have the web server return the packet via the ASA by using a static route for that subnet on the Web server.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 02/24/2009 - 14:01

yes you can do this on the ASA.

nat (outside) 2 outside

global (dmz) 2 interface

this assumes that the web server is on the dmz and that you want to PAT all source addresses to the dmz interface address.


cchughes Tue, 02/24/2009 - 14:50

Thats good but what I relly need is the ability to NAT based on the destination port.

I have two internet connections (A and B) on different address space (for now). I have the ASA pointing at connection B as a default. The checkpoint points at A.

There is a DMZ that both CP and ASA are connected to.

Web server is in DMZ. Heres the packet flow:

A DNS change is made that points webserver name to connection B.

Packet comes to connection B. ASA translates src to and routes to the webserver in the dmz.

The webserver knows to send the packet back to the ASA because it has been loaded with a static route that points the traffic bound for to the ASA.

The ASA reverses the translated source (now a destination) to and sends it on its way.

Without the translated source address I have no way to force the return traffic to the ASA and the legacy default gateway is CP.

I'm shooting for a phased migration based on service type and this was a potential solution. I could just migrate the server but because it hosts many services the chance of a misconfig of one or two makes me worry.

Eventually both connections (A and B) are going to be on the same network but I dont want to change the subnet and firewall at the same time.

To migrate the web server to the ASA my thought was to first config a static route on the edge rtr that points to the ASA. On the ASA I NAT all incoming traffic source addresses that are destined for my web server on port 80 to

In the dmz (which is dual homed to both checkpoint and ASA) I configure a static route on the

Jon Marshall Tue, 02/24/2009 - 16:43

You could try policy NAT altho i have never used it from outside to inside ie.

assuming web server address is

access-list web permit tcp any host eq 80

nat (outside) 2 access-list web outside

global (dmz) 2 interface


cisco24x7 Tue, 02/24/2009 - 17:13

What you described to me can be done with policy NAT something like:

access-list test permit ip any host

static(outside,dmz) access-list test

I do not have a Pix with me to play.

Honestly, I gave up on Cisco regarding complex NAT on the ASA. It is so convoluted and difficult to implement. I think your customer is making a mistake in moving from Checkpoint to ASA when they have complex NAT requirements.

What you described can be done on a Checkpoint firewall in less than 10 seconds with a junior firewall admin.

cchughes Wed, 02/25/2009 - 11:23

LOL. You mean the simle ASDM GUI isnt simple? (kidding) I hear you. I build tunnels and then go command line and read them. What a mess.


This Discussion