outside NAT

Unanswered Question
Jun 18th, 2010

Hi all,

How do i configure outside NAT such that my external public ip is map to one of my  dmz private ip.

What i want is when any address on the internet connects to my public ip on a certain port it will translate to my dmz ip which my server is using.

I am using asdm to configure my cisco asa 5510 firewall. I did a NAT for my source public ip to be translated to my dmz ip. I then set an accesslist to allow any incoming ip on a specific port to access the public ip i configure for outside NAT. But it didnt work. Pls advise. Thks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 06/18/2010 - 05:31

With CLI:

static (DMZ,outside) netmask

With ASDM:

Configuration --> Firewall --> NAT Rules --> Add Static NAT rule -->

Original interface: DMZ

Source: dmz-private-ip

Translated interface: outside

Use IP Address: external-public-ip

Then click: OK, and apply.

Access-list applied on the outside interface should allow traffic from "any" towards the external public ip on certain tcp/udp ports.

Hope that helps.

donnie Sat, 06/19/2010 - 22:13

Hi Halijenn,

Thk you for your prompt response. I know of the steps required for NAT stated in your reply. What i am looking for is when any internet ip access my public ip eg 203.x.x.10 and 203.x.x.11 it will automatically translate to my 1 private ip eg We use to have 2 private ip(, translate to the 2 public ip stated above, but we have merge the 2 servers into 1.

We would like to continue to use the 2 public ip so that it is a transparent transition for our external customers. Thks in advance.

gatlin007 Sun, 06/20/2010 - 08:40


I'm not sure if this approach is supported but I've used something like this in the past when migrating external addresses; proceed at your own risk.

access-list tango permit ip any host any

static (dmz,outside) 203.x.x.10
static (dmz,outside) 203.x.x.11 access-list tango


Jennifer Halim Sun, 06/20/2010 - 18:42

Unfortunately you can't translate 2 public ip addresses to just 1 private ip address as it is not supported.


This Discussion