ASA 5510 secondary IP on outside

Unanswered Question
May 3rd, 2010

Not being too familiar with the ASA, I have everything configured I need and it is working. The problem now is, I am trying to get an additional external IP address working to point to a new server inside our network. In many other firewalls and even on a PIX I know how to do this, but something does not seem to be working. Here is the scenario:

Existing static IP that is working:

New IP address to add:

Here is the entire config showing the lines with WVSHAREPOINT which is the internal server we are trying to publish. This site works internally, so it has to be a config error. I simply get a time out when accessing from the outside. Any help would be greatly appreciated.

User Access Verification

Type help or '?' for a list of available commands.
ciscoasa> en
Password: ******
ciscoasa# config t
ciscoasa(config)# sho run
: Saved
ASA Version 8.2(1)
hostname ciscoasa
domain-name xxxxxxx
enable password xxxxxxxx encrypted
passwd xxxxxxx encrypted
interface Ethernet0/0
nameif outside
security-level 0
ip address
interface Ethernet0/1
nameif inside
security-level 100
ip address
interface Ethernet0/2
no nameif
no security-level
no ip address
interface Ethernet0/3
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address
ftp mode passive
dns server-group DefaultDNS
domain-name womenventure
same-security-traffic permit inter-interface
object-group service RDP-WVSERVER tcp
port-object eq 3391
object-group service RDP-TERMSRVR tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq echo
port-object eq www
port-object eq https
access-list 101 extended permit tcp any host eq www
access-list 101 extended permit tcp any host eq 3389
access-list 101 extended permit tcp any host eq https
access-list 101 extended permit tcp any host eq smtp
access-list 101 extended permit tcp any host eq 3391
access-list 101 extended permit tcp any host eq pptp
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any unreachable
access-list acl_inside extended permit tcp host WVSERVER any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit ip any any
access-list outside_access_in extended permit tcp any host WVSHAREPOINT eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface 3389 WVTERMSRV 3389 netmask
static (inside,outside) tcp interface smtp WVSERVER smtp netmask
static (inside,outside) tcp interface 3391 WVSERVER 3391 netmask
static (inside,outside) tcp interface pptp WVSERVER pptp netmask
static (inside,outside) tcp interface https WVSERVER https netmask
static (inside,outside) tcp https WVSHAREPOINT https netmask
access-group outside_access_in in interface outside
access-group acl_inside in interface inside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
http management
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet outside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
service-policy global_policy global
prompt hostname context
: end

Please have a look over the config and let me know where I am going wrong. Thank you!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dtochilovsky Mon, 05/03/2010 - 10:14

Try changing the outside access list to reflect the public IP address and not the internal one :

access-list outside_access_in extended permit tcp any host x.x.65.196. eq https

And also try just simple NAT and instead of doing a port translation :

static (inside,outside) WVSHAREPOINT netmask


ronwoods Mon, 05/03/2010 - 10:53

I have tried both of these suggestions, with the same results. Timeout on the outside. I assume these were to be used together and remove the old one which I did correct?

astripat Mon, 05/03/2010 - 11:17

Hi Ron,

Change the acl as below as mentioned by Dmitry earlier:

access-list outside_access_in line 1 permit tcp any host x.x.65.196 eq https


Try accessing it after that and see if we get any hitcounts in the acl.



dtochilovsky Mon, 05/03/2010 - 11:23

Yes, try clearing the xlates as Ashu just mentions below; that will clear any old static translations and you should be able to use the new ones. As a rule of thumb you should clear the old ones any time you make a change to the NAT...

ronwoods Mon, 05/03/2010 - 11:59

Okay, one question... I turned on logging and is this how I view hit counts on an ACL or how is that done?

Thanks again for all your help!


dtochilovsky Mon, 05/03/2010 - 12:04

Hit counts show up when you display an access list.

Run this command:  show access-list outside_access_in

and see if the count of hits at the end of the access list is increasing,

should be something like:  (hitcnt = 10).

astripat Mon, 05/03/2010 - 12:18

That means, the traffic is not even making up to the firewall. We need to check if the traffic is not blocked before it reaches the firewall.


dtochilovsky Mon, 05/03/2010 - 12:19

Anything in the logs regarding that connection?

Make sure you enable logging to send logs; run this : logging enable

astripat Mon, 05/03/2010 - 12:38


Also ensure that proxyarp is enabled on the outside. Enter the following command to be sure:

no sysopt noproxyarp outside



This Discussion