Can you do DMZ and NAT/PAT with a single public IP address on ASA5520?

Unanswered Question
Sep 28th, 2010


Can you do DMZ and NAT/PAT with a single public IP address on ASA5520? I have uplink in PPPoE and has only one public ip address. Would like to put anti-spam(eg. A.B.C.44) in the DMZ and there are a number of servers(eg. X.Y.Z.1, X.Y.Z.2 and X.Y.Z.3) that I want to NAT/PAT. Could someone please suggest how it should be implemented?

Two site-to-site IPSec tunnels have also been configured on this ASA.

Thanks to everyone in advance for your knowledge sharing.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 09/28/2010 - 12:17


You can do it. You need to configure what is called static NAT port translations.

For example lets say your public IP is

static (dmz,outside) tcp 25 A.B.C.44 25 netmask

! This static NAT port translation allows SMTP from the outside to your anti-spam server in the DMZ.

static (inside,outside) tcp 80 X.Y.Z.1 80 netmask

static (inside,outside) tcp 443 X.Y.Z.2 443 netmask

! Here we create a couple of static NAT port translations to allow HTTP to one server and HTTPS to another.

There is always a gotcha. You cannot reuse multiple ports in use. For example it is forbidden to have these two statements together.

static (inside,outside) tcp 80 X.Y.Z.1 80 netmask

static (inside,outside) tcp 80 X.Y.Z.2 80 netmask

! We are using port 80 on the outside and translating to two internal servers. This is not allowed. You can use one of them but not both.

There is a "work around". You can translate one port to another.

static (inside,outside) tcp 80 X.Y.Z.1 80 netmask

static (inside,outside) tcp 8080 X.Y.Z.2 80 netmask

! In your web browser you would have to have

Hope it helps

layhlaing Tue, 09/28/2010 - 16:20

Really appreciate for your help, Collin. Would I be able to continue my ADSM management (https) from "inside" interface? Last time, i was no longer able to do that until I undo that nat statement for DMZ. My statement might be not correct in some how. Will do and let you know.



layhlaing Thu, 10/07/2010 - 07:07

Hi Collin,

Thanks again for your time. I have managed put anti-spam server in DMZ and web server / mail server in inside network. They work correctly with NAT and PAT so is VPN. But I am having access denied for ssh connection. I can't ssh into the box from inside and dmz although I have  following:

ASA Version 8.3(1)

ASA(config)#crypto key generate rsa modulus 1024

ssh inside

ssh dmz
ssh management
ssh timeout 5

I was prompted to enter username and password but keep getting access denied. Could you please advise me with this ssh issue?



layhlaing Fri, 10/08/2010 - 07:55

Hi Collin

Please be informed that I have got SSH access after issuing following:

ASA(config)#aaa authentication ssh console LOCAL

Before issuing the above command, SSH can only be accessed with user "asa" which I cannot find anywhere in the configuration.

Anyway, thanks a lot for your sharing.




This Discussion

Related Content