ASA 5510 with Static NAT

Unanswered Question
Dec 15th, 2009

Hi friends,

I am saravanan from Bangalore. In one of our customer require to put static IP to access from outside (internet).

Inside ------------------------> ASA 5510 -----------------> 1800 router  ------>  outside    .254       .254/30            218.X.X.177

Actually here In router we configured the static nat translation, but i want to configure in ASA 5510, so i tried to configure in static nat but i can't able to configure. Please check the config.

then i want to allow FTP, Telnet, Remote desktop, http, https also.

static (inside, outside) tcp 218.X.X.180 netmask

i want to access, 201, 202, 203, 204 IP address to access outside 218.X.X.180, 181, 182, 183.

Router config

interface FastEthernet0/0
ip address 218.X.X.177
ip access-group 102 in
ip nat outside
duplex auto
speed auto
interface FastEthernet0/1
ip address
ip nat inside
duplex auto
speed auto
ip classless
ip route 218.X.X.178
ip route
no ip http server
ip nat pool INTERNET 218.X.X.180 218.X.X.180 netmask
ip nat inside source list 101 pool INTERNET overload
ip nat inside source static 218.X.X.184
ip nat inside source static 218.X.X.185
access-list 101 permit ip any
access-list 102 deny   ip any
access-list 102 deny   ip any
access-list 102 deny   ip any
access-list 102 deny   ip host any
access-list 102 deny   ip host any
access-list 102 deny   ip any
access-list 102 deny   ip any
access-list 102 deny   ip any
access-list 102 deny   ip any
access-list 102 deny   icmp any any
access-list 102 deny   tcp any any eq ident
access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 447
access-list 102 deny   tcp any any eq 81
access-list 102 deny   tcp any any eq 135
access-list 102 deny   tcp any any eq 444
access-list 102 deny   tcp any any eq 445
access-list 102 permit ip any any

ASA Config

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address
interface Ethernet0/1
nameif inside
security-level 100
ip address
ftp mode passive
access-list BROWSING extended permit ip any
access-list INTERNET extended permit ip any any
access-list INTERNET extended permit icmp any any
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
static (inside,OUTSIDE) netmask
access-group INTERNET in interface OUTSIDE
route OUTSIDE 1
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh timeout 5

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Kureli Sankar Tue, 12/15/2009 - 10:31

On the ASA do the following:

1. add nat exemption with an ACL. Deny this one host going any where and permit the rest in the acl.

2. remove the identity static line

static (inside,OUTSIDE) netmask


3. add this static line static (inside, outside)  218.X.X.180 netmask or as static pat

static (inside, outside) tcp 218.X.X.180 21 21 netmask

static (inside, outside) tcp 218.X.X.180 23 23 netmask

static (inside, outside) tcp 218.X.X.180 3389 3389 netmask

static (inside, outside) tcp 218.X.X.180 443 443 netmask

4. On the router remove 218.X.X.180 from the pool.

Honestly I would either move all the translation onto the ASA or leave it on the Router.  You are trying to leave dynamic NAT on the router and move the static NAT onto the ASA.


psaravanan Tue, 12/15/2009 - 10:42

thanks for your reply,

I already tried to remove the 218.X.X.180 pool from the router, then the internet connection is not reach to my ASA.

then I tried the following command in the router.

ip nat inside

ip global outside interface.

This command also not working in the router (not able to connect the internet).

Kureli Sankar Tue, 12/15/2009 - 11:11


Pls. let us know once you complete all the steps that I listed.

You need to overload it to the outside interface IP address if that is the only address in the pool

ip nat inside source list 101 interface FastEthernet0/0 overload

Once done, get the output of "sh xlate debug | i and make sure the ASA is translating the address properly.


psaravanan Sat, 01/02/2010 - 10:00

hi frnds,

I already tried the below configuration, but it's not working.

Router config:

i removed the pool, then put fastethernet with overload

ip nat inside source list 101 interface fastethernet 0/1 overload

access-list 101 permit ip any

Then in ASA 5510 side

I create static NAT,

static(inside,outside) 218.X.X.181 tcp 21 tcp 21 netmask

static(inside,outside) 218.X.X.181 tcp 23 tcp 23 netmask

static(inside,outside) 218.X.X.181 tcp http tcp http netmask

static(inside,outside) 218.X.X.181 tcp https tcp https netmask

static(inside,outside) 218.X.X.182 netmask

even though i can't able to connect from outside.

pls help me ya.

YANGCCIE4 Sun, 01/03/2010 - 09:48

Hi ,

I saw so many ACLs in the  1800 routers, it seems performing the firewall function. and also you have asa. I am thinking is the architecture appropriate ?



psaravanan Sun, 01/03/2010 - 03:54

hi frnds,

tell the right solution, i want to enable the particular outside ip to permit in my router, is it ok or not

Kureli Sankar Sun, 01/03/2010 - 15:53


If I remember right you were going to remove the IP from the pool on the router and use the interface to PAT and do static translation on the ASA.

You need to verify the following.

1. static pat tranlation is working on the ASA. "sh xlate debug | i"

2. The router will send packets to the ASA for this particular IP address.

3. Collect captures on the ASA to see if packets are arriving.

4. check the logs on the ASA to see what they may be revealing.

5. most of all the acl applied on the outside interface of the ASA is allowing this traffic.

Pls. remember to verify the following for all flows through the firewall.





Kent Heide Sun, 01/03/2010 - 16:33

How do you expect the ASA to do statics for the outside IP's when they exists infront of the 1800? No packets will reach the ASA with destination containing those addresses. The traffic will stop in your router because it is doing NAT. Why don't you just put the router and the ASA on the same segment. I don't see any reason to why you're doing it like you're doing.

Kureli Sankar Mon, 01/04/2010 - 05:33

It is very much possible to do what Saravanan is trying to accomplish provided he configures the ASA and router properly.

Pls. also make sure that this traffic (static pat) is exempted in the nat overload list that you have added on the router. You need a deny before the permit.


francisco_1 Mon, 01/04/2010 - 05:44


Why dont you simplify your configuration by letting the ASA taking care of destination NAT translations instead. You dont need NAT enable on your internet router when you have a firewall that can handle NAT. By having NAT on both router & ASA you are adding more complexity!

Here is a simple design that will work for you

Kent Heide Mon, 01/04/2010 - 07:44

And doing that requires he changed his ip addressing schema and gets rid of NAT. So basically a completely new setup.

francisco_1 Tue, 01/05/2010 - 05:42


Sounds like there is few things you need to take in to consideration based on what others have commented.

Is your internet router managed by your or ISP?

If you plan to have the NAT on the ASA since you are introducing the ASA in to your LAN (option i would go for) then you need to get ISP to allocate you a public IP's for connection between ASA->Router. This will require a small IP changes on your web tier between the ASA->Router and remove all NAT entries on the router and enable on ASA (simple config change). Looking at your configs you dont have a lot to change so you might be able to do it all in one go.

Or we try to get your existing design working.

I will build your existing config in the lab hopefully tonight test. will get back to you


francisco_1 Tue, 01/05/2010 - 16:54

OK I got Psaravanan setup working with Internet Router doing NAT and configured ASA with no nat-control enable. The ASA is only routing with NAT disable.

In the lab i setup 3 routers 1 ASA as:

ISP Router  - > WAN Router - This is ISP to Client router connectivity

WAN Router - > ASA FW- This is Client Internet Router to Client Firewall

ASA FW - Core Router - This is Client Firewall to Private Core switch

I used the Core router as client to test telnet connectivity by enabling NAT on WAN Router and enable ACL and routing on ASA to forward NATed telnet traffic to Core for telnet traffic from ISP Router.

See attachment for configs inc testing result..

Hope that makes sense...


To get your config going just use the config i have attached as an example to configure your ASA and static source NAT on your router. The config is very simple. If you decided to enable the NAT on the ASA then just follow URL i mentioned above.

Good luck..


psaravanan Wed, 01/06/2010 - 08:42

Thanks mr. Francisco,

My exciting setup is like this only, I already used static NAT in Router, but that router has hang after 20 minutes while using from outside. So i want to change the Static NAT in to ASA.

Then i configured Static NAT in ASA, but it's not working properly.

francisco_1 Wed, 01/06/2010 - 09:26

To enable NAT on the ASA for public connections then you gonna have to change IP's on interface between Your ISP router and ASA and make some changes to remove NAT on router and enable it on ASA.

Before going down that path try the steps below on your current setup and let us know outcome.

On the Router

ip nat inside source static 218.X.X.184
ip nat inside source static 218.X.X.185

interface FastEthernet0/0
no ip access-group 102 in  (No need for this as your ASA is now taking care of this)


no Nat-Control
access-list INTERNET extended permit tcp host 218.X.X.184 host eq [your traffic port] log
access-list INTERNET extended permit tcp host 218.X.X.185 host eq [your traffic port]  log

no static (inside,OUTSIDE) netmask
no access-list INTERNET extended permit ip any any
no access-list INTERNET extended permit icmp any any

For example if you server is listening on http

access-list INTERNET extended permit tcp host 218.X.X.184 host eq http log


Test by connecting to 218.X.X.184 on whatever port you are allowed on ASA (server inside should be listening on port)

Look at "SH ip nat translations" on your router - post the output

And debug flow on ASA and post the output

psaravanan Mon, 01/11/2010 - 10:08

Sorry frnds,

till i can't able to resolve it.

In router side, i enable routing table.

ip route

then in ASA side, i enable the icmp permit.

icmp permit any OUTSIDE

from ASA to router ip, i can able to ping it.

from router to ASA ip, i can able to ping it. but network any ip, i can't able to ping from router. I enabled the route.

I thing, if i can able to ping from router, then the problem will solve.

In ASA, I already enabled Static NAT to outside ip . Then router will pass all traffic to ASA which are coming fromm outside.

pls. give a valuable suggestion


This Discussion