ASA 5510 port forwarding

Unanswered Question
Sep 8th, 2010
User Badges:

Has anyone succesfully created a port-forward in ASA5510, ASA version 8.3(1) ASDM6.3(1)?

I have spend hours now trying, but I'm still unsuccesfull.

What I want is a simple: "if this particular ip-adress hits the wan interface on this tcp-port redirect to this inside ip-address on this tcp-port.

I have never had any trouble on any other firewall creating something like this, but the ASA is killing me. Please help.

Kind regards Anders

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abinjola Wed, 09/08/2010 - 23:45
User Badges:
  • Cisco Employee,

See if this helps,

Old Configuration

static (inside,outside) tcp 80 8080 netmask

Migrated Configuration

object network obj-
nat (inside,outside) static service tcp 8080 www

I'll be more than happy to coonvert your entire configuration just in case you need it


smakodako Thu, 09/09/2010 - 01:25
User Badges:

Hi abinjola

Thanks for the fast response.

It's not a migrated config, but a brandnew box configured from scratch in 8.3

I have search for help in the online help of the box, and tried different howto's, besides just "fooling" around to get it to work, but completely unsuccesfull.

I think I need the exact commands, in order to understand anything of what is going on.

Kind regards Anders

abinjola Thu, 09/09/2010 - 01:33
User Badges:
  • Cisco Employee,

Did the above example of port forwarding commands worked ? what exact config/commands do you need  ?

I understand 8.3 is a total somersault in terms of NAT syntax and handling, but once you get accustomed to it you would it will be as easy as a walk in a park

Meanwhile I am sending you a link for 8.3 command structures and different examples:


smakodako Fri, 09/10/2010 - 02:41
User Badges:


I tried but here's how it goes.

nat (mgmt,wan) static service tcp 823 23

ERROR: Address overlaps with wan interface address.

ERROR: NAT Policy is not downloaded

Nagaraja Thanthry Thu, 09/09/2010 - 05:36
User Badges:
  • Cisco Employee,


Please try the following:

Inside host

Outside address

Outside port HTTP

inside port 8080

object network Inside_server


object network Outside_server


object service Inside_port

service tcp source eq 8080

object service Outside_port

service tcp source eq 80

nat (inside,outside) source static Inside_server Outside_server service

Inside_port Outside_port

If you want to make it a policy NAT where this should be applicable only for

specific destination, then

object network Outside_dst


nat (inside,outside) source static Inside_server Outside_server destination

static Outside_dst Outside_dst service Inside_port Outside_port

On the outside interface access-list, you need to allow access to the actual

IP of the inside device on the actual port.

access-list outside_access_in permit tcp any host eq 8080

access-group outside_access_in in interface outside

Hope this helps.



smakodako Fri, 09/10/2010 - 03:17
User Badges:

I succeded. Thank you so much:)

Best regards Anders

Indrit_Qesja Mon, 04/09/2012 - 13:06
User Badges:

Hi ! Im an trying the same config but with no result

Address xx.xx.xx.xx overlaps with Outside interface address.

Any help?


Jouni Forss Mon, 04/09/2012 - 13:18
User Badges:
  • Super Bronze, 10000 points or more

Hi, Indrit Qesja

Can you please make a new discussion about your problem with some background information.

It will probably get more/better answers that way.

I can look through your issue when you've posted some background information about that kind of situation you have and what you are trying to accomplish.

- Jouni

Dennis Mink Mon, 04/09/2012 - 17:10
User Badges:
  • Blue, 1500 points or more


I am guessing you are using static nat against your outside interface's IP address   (for example

instead of using:

nat (inside,outside) static service tcp 21 21


nat (inside,outside) static interface service tcp 21 21

Indrit_Qesja Tue, 04/10/2012 - 00:56
User Badges:

Hi dennis!

I will test the nat in static interface and i will come back in the forum

thank you very much


This Discussion