asa 5510 cant make PAT

Unanswered Question
Nov 28th, 2011
User Badges:

according to this document I do port translation through CLI and I have following config:

ciscoasa# show run access-list

access-list local standard permit any

access-list outside_access_in extended permit tcp any object http-155

ciscoasa# show run access-group

access-group outside_access_in in interface inet

ciscoasa# show run nat


object network http-155

nat (local,inet) static interface service tcp www 5010


nat (local,inet) after-auto source dynamic any interface


host has IIS running on itself and it gives plain HTML page

when I try to run packet-tracer from my ASA 5510 I recieve ALLOW on all stages and on Phase: 2  UN-NAT I recieve ALLOW and "

Untranslate A.B.C.D/5010 to" action (output in attachment)

then I check ports on port scanner it shows "5010 is opened"

BUT in browser I cant recieve HTML page from when I try to achieve http://A.B.C.D:5010

Where is my mistake?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Dmitriy Popov Mon, 11/28/2011 - 07:19
User Badges:

all trafic from interface local to interface inet walks without problems/ The security level of inet is 0. And of loal is 100. Because of it I haven`t add access rule in direction from local to inet. Is it right?

cadet alain Mon, 11/28/2011 - 07:55
User Badges:
  • Purple, 4500 points or more


for accessing a publicly natted service from inside by its natted IP address you have to do hairpinning otherwise you can also do dns doctoring by adding the dns keyword to your static PAT config then you access the service by FQDN from inside and the ASA will intercept the DNS reply from external DNS server and rewrite the  public IP obtained to the private address from your static PAT entry.

Here are the links explaining the 2 concepts:

Don't forget to inspect dns for the dns doctoring solution.



cadet alain Tue, 11/29/2011 - 00:57
User Badges:
  • Purple, 4500 points or more


do this:

(config)#access-list cap_inside extended permit tcp any any

(config)#access-list cap_outside extended permit tcp any any

#capture capin interface inside access-list cap_inside

#capture capout interface outside access-list cap_outside

try to access again from outside and  do this and post results

#show capture capin

#show capture capout




This Discussion

Related Content