How can I let the inside stations access Internet with single Public IP?

Unanswered Question
Mar 11th, 2009
User Badges:

The IP Information of my network:

inside: when ASA5505 firewall with ip

outside: 2**.**.***.132

with 6 public IP useable(2**.**.***.129-2**.**.***.134).

When I use the default setting of ASA 5505 let all inside station access Internet with dynamic NAT; all inside station fail to access Internet. Then I static map 2**.**.***.130 to for testing purpose. After that can access Internet but other station in same network cannot access. So I wish to know how can I let other station access Internet with single Public IP.

It is my running config; Moreover I wish to know how to set the inside station can ping outside website(e.g. google):


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address 2**.**.***.132


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

access-list outside_access_in extended permit tcp any host 2**.**.***.130

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

static (inside,outside) 2**.**.***.130 netmask

access-group outside_access_in in interface outside

route outside 2**.**.***.129 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd address inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context


: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 03/11/2009 - 04:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The following 2 lines should allow your inside hosts access to the Internet -

global (outside) 1 interface

nat (inside) 1

How are you testing connecitvity ? - if it is with ping you will need to do further config ie.

access-list outside_access_in permit icmp any any echo-reply

access-group outside_access_in in interface outside


wongkw3008 Wed, 03/11/2009 - 19:42
User Badges:

>How are you testing connecitvity ?

I access by IE for testing connectivity. But only can access google and other stations in same subnet cannot.

Do I need to set the access rule let other stations can access Internet Web Page?

wongkw3008 Thu, 03/12/2009 - 21:28
User Badges:

Do I need to add this to allow Internet website access of other inside stations?

"access-list outside_access_in extended permit tcp any any "


"access-list outside_access_in extended permit tcp any host 2**.**.***.132 "

bjssccouser Fri, 03/13/2009 - 07:57
User Badges:


The nat & global statements look ok, however, you've not assigned any ports to Vlan1 (the inside).

As with interface Ethernet0/0, you'll need to assign the other interfaces to vlan1 and to enable 'no shutdown'. Also ensure your default route is correct and the rest should be ok.


connect2world Mon, 03/16/2009 - 23:58
User Badges:


Please do a sh ver on your ASA5505.

Licensed features for this platform:

Inside Hosts : Unlimited

The above statement should show unlimited host, if your license is not unlimited, you will have a problem connecting to internet for some machine once the number of connection is used up.

wongkw3008 Tue, 03/17/2009 - 19:40
User Badges:


I use sh ver to check and inside host is unlimited.

Inside station in my network with PAT still cannot connect to Internet. I attach the log file and see "Teardown dynamic TCP translation". Is my PAT setting failed?

(210.**.***.132 is outside interface IP)

6|Mar 18 2009|09:10:28|305012||1441|210.**.***.132|12299|Teardown dynamic TCP translation from inside: to outside:210.**.***.132/12299 duration 0:01:00

connect2world Wed, 03/18/2009 - 05:19
User Badges:

I am suspecting your access list is the cause.

This statement :

access-list outside_access_in extended permit tcp any host 2**.**.***.130, tell the ASA to only allow any incoming connection to ip 2**.**.***.130

Your static statement:

static (inside,outside) 2**.**.***.130 netmask, tell the ASA to direct any incoming from outside 2**.**.***.130 to only internal IP

Try this to verify:

Take out the access list statement by issuing this command:

no access-group outside_access_in in interface outside

Let me know if it works.

wongkw3008 Wed, 03/18/2009 - 20:45
User Badges:

Is it mean Dynamic NAT and static NAT cannot work together?

But I set static NAT due to test purpose because default setting cannot let inside stations access Internet. After I set the static NAT and access rule; can access Internet that mean the route setting is correct.

connect2world Wed, 03/18/2009 - 22:21
User Badges:

I am not saying the static & dynamic can't work together. I am looking at the access-list being applied on the outside interface which is preventing all your clients from accessing the internet.

Please try removing the access list first , if that don't work you can always put the statement back.

wongkw3008 Thu, 03/19/2009 - 01:22
User Badges:

Do I need to set the inside route for Dynamic NAT work?

route inside 1

And anyone know what is the meaning of "teardown dynamic tcp translation from inside" in log file?


This Discussion