Inbound to partner network

Unanswered Question
Feb 27th, 2012


I have been asked to create an inbound connection on the ASA from the internet to a part of the network that is accessible over the Wide area network


Internet address  94.175.x.100 goes to,

The internal network is, and connects to the network over a private MPLS.

Is this possible with the ASA5510 and if so can you give me a clue how to pass the traffic



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 02/27/2012 - 07:06


For this to work you need a couple of things to be in place -

1) the ASA can reach the network ie. it has a route to the network

2) there is a default-route in your internal network that points back to the ASA so when sends traffic back to 94.175.x.100 the return traffic goes back to the ASA.

If both of the above are in place then you would simply need to -

1) add a rule to the access-list applied to the outside interface of the ASA (assuming there is one) to allow the traffic


2) set up a static NAT for the 151.5.3.x clients eg.

static (inside,outside)

note that you can be more specific with the NAT if you only want to allow certain ports ie.

static (inside,outside) tcp 80 80 

would setup NAT only for port 80. Bear in mind though that you still need the acl allowing the access so if there are a lot of ports then the first static would make more sense. Also note these are pre 8.2 NAT commands so you may need to adjust if the OS version is more recent.

If the first 2 conditions are not in place you can still do it but you may need to do more things with NAT.


Trevor Peacock Mon, 02/27/2012 - 07:25

Hi Jon,

Thanks replying

I have a route from the ASA to the network and a traceroute from the ASA shows that this works, the destination server on the 151.5.3 network can see the ASA.

The NAT and ACL work for the service on 10.42.15 network.

So ...

Do I need to allow routing from the 151.5.3 network to the external internet addresses across the MPLS ???

eg on the router at the site ip route 94.x.y.z/24 151.5.3.gateway



Jon Marshall Mon, 02/27/2012 - 07:46


It depends on whether you have a default-route in your network pointing to the ASA. If you try a traceroute from the 151.5.3.x network to the internet address does it go to the ASA inside interface ?


Trevor Peacock Mon, 02/27/2012 - 07:53

Hi Jon,

After several hops it ends up on the ASA inside interface. The ASA in my office is the gateway of last resort for the entire MPLS



Jon Marshall Mon, 02/27/2012 - 07:57


That's good. So it should just be a case of setting up the static and adding the rule(s) to the access-list and you should be good to go.


Trevor Peacock Mon, 02/27/2012 - 07:59


Thanks for the help,

Ill try the config this evening and let you know how it goes.

Thanks again



This Discussion