Traffic to different wan ip's

Unanswered Question
May 4th, 2010

Hello guys.

I have asa5510 sec plus.

Im new to cisco.


Is it possible to send traffic from internal host like: out through another WAN ip than the one bound to interface "outside" ?

I tried it with this command:

nat (dmz) 2
global (outside) 2 netmask

nat (dmz) 3
nat (dmz) 3
global (outside) 3 netmask

and so on

But it doesnt seem to work.. actually the hosts cannot acces the internet at all.. outside interface level 0, dmz interface level 90, so theres n o need to make accesslist from DMZ to outside, right?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Tue, 05/04/2010 - 02:59

Definitely can. What you have configured is correct.

Just have to make sure that proxy arp is enabled on the outside interface.

Just check: "sh run sysopt" output, if you don't see "sysopt noproxyarp outside" command, that means proxy arp is enabled.

Also perform "clear xlate" after you configure the NAT/Global pair statements.

If you have no access-list assigned to DMZ interface, traffic from DMZ to outside will be allow by default. If you have configured an access-list on DMZ interface, you would need to explicitly allow traffic from DMZ to outside.

Jennifer Halim Tue, 05/04/2010 - 03:11

Because those are virtual ip addresses that are not assigned to any interfaces, therefore it needs to have ARP resolution, and it would resolve to the ASA outside interface mac address when proxy arp is enabled so the router in front of the ASA can reach it.

Jennifer Halim Tue, 05/04/2010 - 03:41

OK, first of all, you can use overlapping public ip address for both static statement and global statement.

As per config for example: has been used on static port address redirection statement, so you can't use for your global statement.

---> so use a unique public ip address for your global statement.

Secondly, from the config, it seems that you have a lot of NAT statements. Traffic matches the NAT statement from top to bottom, not the longest ip address/subnet matches. If you do "sh run nat", you would see the list of NAT statement, and the order of how you configure it on the ASA would be the first match.

m1kkel1984 Tue, 05/04/2010 - 03:51

The reason why i have a lot of nat statements is because i have a lot of servers on the DMZ wich have different wan ip's applied to them, and therefore port 25 traffic to ip .98 is forwarded to the host that the .98 ip is attached to, the same with .99 ip and so on.

Maybe there is a better way to handle this?

We are a small hosting provider and we host terminalservers and exchangeservers, and each customer have it own virtual server, and wan ip. You get the point...

Jennifer Halim Tue, 05/04/2010 - 04:13

Yes, I understand what you are trying to achieve.

However, on ASA, public ip that has been assigned to static statement, can not be assigned to the global statement. They can't overlap.

And in regards to the NAT statements, as mentioned earlier, it works top to bottom. So if you have the following list for example ("sh run nat" order - order as you configured the nat statements):

nat (dmz) 100

nat (dmz) 2

nat (dmz) 3

If traffic is sourced from for example, it will match the first nat statement instead of the second nat statement because nat is matched from top to bottom, ie: it will match line 1 first - "nat (dmz) 100".

If you would like traffic to match the second nat statement for traffic sourcing from, then you would need to remove the first line and reapply the first line, because when you remove the nat and reapply the line, it will be added to the bottom of the NAT list.

For example: if you remove "nat (dmz) 100", and reapply the same statement, the order from the above list will be as follows:

nat (dmz) 2

nat (dmz) 3

nat (dmz) 100

Then traffic sourcing from will now match the first line "nat (dmz) 2"

m1kkel1984 Tue, 05/04/2010 - 05:13

Ok i see.

May i return when i have fixed my conf? So you can read it before i apply, and take down out old router?

m1kkel1984 Fri, 05/07/2010 - 00:42

Hey - did you have the time to verify my conf is correct ?

Regards Mikkel

Jennifer Halim Fri, 05/07/2010 - 02:16

To start with, you don't need these 2 route statements:

route inside
route dmz

For the NAT statements, please send the output of the following:

sh run nat

sh run static

sh run global

As mentioned, the order needs to be as how you enter the NAT line into the configuration, therefore the output of the above will show.

And please also confirm that you are trying to achieve the following as per your original post:

nat (dmz) 2
global (outside) 2 netmask

nat (dmz) 3
nat  (dmz) 3
global (outside) 3 netmask

m1kkel1984 Mon, 05/17/2010 - 05:00

Allright im back.

Im trying to apply my config, but it fails different places.


(trying to send everything else that does not match rules out through wan interface)

nat (dmz) 100
global (outside) 100 interface
ERROR: global for this range already exists


ciscoasa(config)# static (dmz,outside) tcp 25 25 ne$
ciscoasa(config)# static (dmz,outside) tcp 25 25 ne$
ERROR: duplicate of existing static
  TCP DMZ: to outside: netmask

Why am i reciving that error ? It occours after first static rule is applied. Im trying to send traffic from different wan ip's (port 25) into out spamgateway..

Best regards Mikkel

Jennifer Halim Mon, 05/17/2010 - 05:21

Yes, you already have "global (outside) 1 interface", so you can't configure two global statements to use the same ip address (interface). Hence you are getting the error when applying "global (outside) 100 interface"

For the static statements, you can't configure static port address redirection for the same port (TCP/25) and same internal/private ip address.

m1kkel1984 Mon, 05/17/2010 - 05:28

Ok i understand the global rule now.

Regarding the port 25 to the same ip address - how do we fix it then?

We have like 12 wan ip's where email (port 25) is comming to. All mail should be sent to internal ip regardless of originating wan ip.

What to do ?

m1kkel1984 Mon, 05/17/2010 - 06:38

Hello once again.

I think i know how to send all smtp traffic to one internal ip.

static (dmz,outside) tcp interface 25 25 netmask

So i fixed my conf a little, fixed the rules that were failing, and the global rules. Please check again.

I also ran the commands just suggested, and here's the output.

ciscoasa(config)# sh run nat
nat (inside) 0 access-list NCT-DMZ
nat (inside) 1
nat (DMZ) 2
nat (DMZ) 4
nat (DMZ) 3
nat (DMZ) 3
nat (DMZ) 5
nat (DMZ) 6
nat (DMZ) 7
nat (DMZ) 8
nat (DMZ) 8
nat (DMZ) 8
nat (DMZ) 8
nat (DMZ) 8
nat (DMZ) 8
nat (DMZ) 8
nat (DMZ) 1

ciscoasa(config)# sh run static
static (inside,outside) tcp interface www www netmask
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface 1433 1433 netmask
static (inside,outside) tcp interface 3389 3389 netmask
static (DMZ,outside) tcp www www netmask
static (DMZ,outside) tcp https https netmask
static (DMZ,outside) tcp 3389 3389 netmask
static (DMZ,outside) tcp www www netmask
static (DMZ,outside) tcp https https netmask
static (DMZ,outside) tcp 3389 3389 netmask
static (DMZ,outside) tcp interface smtp smtp netmask
static (DMZ,outside) tcp 3389 3389 netmask
static (DMZ,outside) tcp www www netmask
static (DMZ,outside) tcp https https netmask
static (DMZ,outside) tcp 3389 3389 netmask
static (DMZ,outside) tcp www www netmask
static (DMZ,outside) tcp https https netmask
static (DMZ,outside) tcp 3389 3389 netmask
static (DMZ,outside) tcp www www netmask
static (DMZ,outside) tcp https https netmask
static (DMZ,outside) tcp 3389 3389 netmask
static (DMZ,outside) tcp 8093 8093 netmask

Hmm should the first 4 static come ind the end ??

ciscoasa(config)# sh run global
global (outside) 2 netmask
global (outside) 3 netmask
global (outside) 4 netmask
global (outside) 5 netmask
global (outside) 6 netmask
global (outside) 7 netmask
global (outside) 8 netmask
global (outside) 1 interface

How does this look?

Ive attached my new and refined config.

Jennifer Halim Mon, 05/17/2010 - 06:42

The NAT statements definitely look perfect, where the more specific ones are at the top, with the most general one right at the bottom.

With the static translation, the first 4 lines do not need to be moved anywhere. It's been correctly configured.

m1kkel1984 Mon, 05/17/2010 - 06:46

That is just amazing!

Thank you very much.

Now lets say that my spamgateway ( needs to be able to communicate with (on inside) interface, ive just created this rule:

!######################ACCESS TIL NCT FRA PROOFPOINT################
access-list DMZ-NCT extended permit ip
access-group DMZ-NCT in interface inside

Is this also correctly configured?

Jennifer Halim Tue, 05/18/2010 - 02:50

No, since the traffic originates from DMZ, you would need to add the ACL on your current DMZ access-list which is called DMZ-PING as follows:

access-list DMZ-PING extended permit ip host host

Plus you also need to have the following static statement:

static (inside,dmz) netmask

m1kkel1984 Tue, 05/18/2010 - 06:50

"Plus you also need to have the following static statement:

static  (inside,dmz) netmask"

I assume you mean;

Static (inside,dmz) netmask



This Discussion