nat outside inside

Unanswered Question
Mar 29th, 2010


have two external ip ranges. From outside everything is reachable but from inside i cannot reach the external ip. But in some cases this is neccesary. i have an asa 55xx wit the latest os. How can i configure the asa to let internal clients reach the external ip ranges from inside? Do i need a static nat rule for this? Have someone an example for me? Thanks and regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 03/29/2010 - 06:03

x.x.x.x = external ip

y.y.y.y = internal

same-security-traffic permit intra-interface

static (inside,inside) x.x.x.x y.y.y.y netmask

global (inside) 1 interface

nat (inside) 1 0 0

thorstenn Mon, 03/29/2010 - 09:51

for asa version 8.3 these commands won`t work i think.

global (inside) 1 interface

nat (inside) 1 0 0

Kureli Sankar Mon, 03/29/2010 - 19:03
Old 8.2 and older Dynamic PAT:

nat (inside) 1 0 0
global (outside) 1 interface


New 8.3 dynamic PAT.
object network obj_any
   nat (inside,outside) dynamic interface


Lunzhicheng7 Mon, 03/29/2010 - 19:18

I wounder if you can show us more detail ? It's hard to tell where goes wrong without the configuration .

thorstenn Mon, 03/29/2010 - 21:38

For example i have an internal server with with a service on port 5467 for an outside ip with the same port. From a host inside the network with the ip i can perform a "telnet 5467" session with an answer from the service.

From outside everything fine too. But sometimes there is a need from internal to reach the external ip from INSIDE the lan.

For example, a host with need to telnet the " 5467" from inside. And here is the problem, theres is no answer from the service. Do you understand what i mean?

Interface config:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address

Maybe for interest, if i look in the asa log while i perform a telnet from inside to the outside ip i see this:

4    Mar 30 2010    03:30:50    106563        Deny icmp src outside: dst inside: (type 5, code 1) by access-group "global_access" [0x0, 0x0]

2    Mar 30 2010    03:30:50    106556                    Deny IP spoof from ( to on interface outside

Jennifer Halim Mon, 03/29/2010 - 22:47

object network obj-
    nat (inside,inside) static

thorstenn Mon, 03/29/2010 - 23:05

Ok, for the whole subnet:

object network obj-

object network obj-
    nat (inside,inside) static ojb-


Jennifer Halim Mon, 03/29/2010 - 23:21

If you are mapping the subnet, it will be translated sequentially, ie: --> -->

Since you have already configured specific translation before, you would need to do 1 IP address for whatever mapping you have configured earlier for the (inside,outside) translation.

thorstenn Mon, 03/29/2010 - 23:36

Ok i tried it with single nat and not the whole range but it seems not to work for me, here is what i`ve configured now for the adress:

nat (inside,outside) source static

object network
nat (inside,inside) static

Lunzhicheng7 Mon, 03/29/2010 - 23:31

I'm not quite sure whether I misunderstood the meaning , In the case of your example , since your internal user ( need to visit a internal server( , the traffic seems no need to go through the firewall , two ip address in the same subnet . If you want the internal users see the server as a Nated address , you may need to add one more translation entry "static (inside,inside)",meanwhile you need to add "same-security-traffic permit intra-interface"


This Discussion