ASA 5510 running IOS 8.3(1) NAT question

Unanswered Question
Oct 4th, 2010

Hey Everyone,

Have had the ASA for about 3 months now and have been able to grasp the new style of NAT as much as I think can be done without going to re-learn it all again...

I have an issue at the moment, where I have a secure FTP appliance running a HTTPS GUI, which needs to be accessed both by clients externally out on the Internet and clients who sit on the Corporate LAN.

The issue I am having is that I also need to give the Remote Site Offices access to this appliance which are all connected using IPSEC. When I create the external access NAT rule to translate any address heading to the public IP, to the internal machine using a source interface of OUTSIDE and a destination interface of DMZ, the remote site packets also get Nat'ted as they come in on the outside interface on the IPSEC tunnel, which means they are unable to use the internal address to get to the site, which is set up in the internal DNS.

There doesnt seem to be a way to specifically indicate an exception/exclusion to the rule.

I have the following rules in NAT, I have assigned them numbers to control when they are applied but it seems that they both get applied even though for the remote sites, NAT rule 1 is the most specific match (I assume that NAT in this case it also top down with number 1 being the highest priority, I have tried alternating the order of these two but this doesnt change anything.):


1 (outside) to (DMZ) source static Remote_Site_Offices Remote_Site_Offices destination static PTH_DMZ_Filetransfer PTH_DMZ_Filetransfer
    translate_hits = 294, untranslate_hits = 0
    Source - Origin: 10.10.X.0/24, 10.10.X.0/24, 10.10.X.0/24, 10.10.X.0/24
    10.10.X.0/24, Translated: 10.10.X.0/24, 10.10.X.0/24, 10.10.X.0/24, 10.10.X.0/24
    Destination - Origin: 10.10.0.X/32, Translated: 10.10.0.X/32

(The above rule states that anything coming in from the remote site subnets, 10.10.X.0/24 should translate to the original address it was already. In other words remain untranslated.) The destination should also remain the same after the translation as before.

7 (outside) to (DMZ) source static any any destination static PTH_PUBLIC_IP-5 PTH_DMZ_Filetransfer
    translate_hits = 1028, untranslate_hits = 1061
    Source - Origin:, Translated:
    Destination - Origin: 2XX.1XX.2XX.2XX/32, Translated: 10.10.0.X/32

(This rule is for the external people who need to use the appliance such as our clients, this rule states that any source address traffic with a destination of the public IP of the appliance should be NAT'd to the inside address of the appliance.)


I am not sure if this is the right area of the forums to put this question as it is an ASA, but its not a security type question. Please move this post if it needs to be moved.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
arudolph_emd Mon, 10/04/2010 - 09:07

Assuming your remote sites should use the internal IP to access the appliance, you can exempt your remote sites from NAT.

access-list permit ip

nat (outside) 0 access-list

You can tweak the IP's of the site(s) / aplliance(s) to meet your needs and change "permit ip" to the port(s) you require if you don't want to expose all ports.

Hope that helps.


This Discussion

Related Content