ASA 8.3 NAT Question

Unanswered Question
Mar 20th, 2010
User Badges:


I hope someone could help me out. I'm trying to figure out how the new NAT is working in 8.3.


I have an ASA behind an DSL connection with exact one dynamic external IP (e.g. home office). In my internal network I have two servers one FTP (listening on tcp/21) and another WEB (listening on tcp/80) server. Now I want to make this two servers accessible from the outside (internet). But I can't figure out the right commands...

(external) IP ASA:

IP Webserver:


Since I have only one static external IP must I use static or dynamic NAT? Could someone post me the right configuration line?

Many thanks for your help,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.hoeschen Sat, 03/20/2010 - 05:27
User Badges:
I've solved my problem.
It's all about the order... The new more specific rules have to be procecced before my dynamic NAT rule (nat (inside,outside) source dynamic Inside-Company-LAN interface)
The Port translations rules have to be static rules by the way.
Jennifer Halim Sat, 03/20/2010 - 05:28
User Badges:
  • Cisco Employee,
object network obj-web-
   nat (inside,outside) static interface service tcp 80 80

object network obj-ftp-
   nat (inside,outside) static interface service tcp 21 21

And remember the normal access-list on the outside interface to allow those traffic.

Hope that helps.

vilaxmi Sun, 03/21/2010 - 11:37
User Badges:
  • Cisco Employee,


Just to add what Halijenn already informed about the static translation, the inbound ACL in 8.3 code, bound to the outside interface,

should include the Local IP address of host, instead of Public IP address (peculiar of 8.3 code!).

Thank you



This Discussion