Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Static nat ver 9.1 droped

Unanswered Question
Nov 8th, 2014
User Badges:

I got new asa 5512 with ver 9.1 on it and I am trying to do a static nat, but it did not work. here is my config:


object network hst-
 nat (inside,outside) static 173.x.x.x

object-group service svcgrp- tcp
 port-object eq 80
 port-object eq 443

access-list outside_access_in extended permit tcp any object hst- object-group svcgrp-
access-group outside_access_in in interface outside


I have applied this: nat (inside,outside) after-auto source dynamic any interface
but did not help


(I also have an old one with ver 7 with working config that I can post if that helps)


Any ideas. Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Karsten Iwen Sun, 11/09/2014 - 12:58
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

The config looks fine.

  1. How did you test it?
  2. What is the output of "ping tcp 80" and "ping tcp 443" from the ASA?
  3. Can you reach the ASA from your Test-PC?
  4. What is the output of "packet-tracer input outside tcp 1234 173.x.x.x 80"?
ziaeecABC Sun, 11/09/2014 - 22:48
User Badges:

I test it live. I still have the old firewall and can still switch between them. Note that server is live and can ping it: with both ports from this new ASA.


Also the packet-tracer doesn't show error when running it from the asa. but when testing it from outside it doesn't work. that ip is a static public ip available from the outside router and is working fine with the old firewall (ver 7) any other ideas?


Note: if I do - nat (inside,outside) static 173.x.x.x service www www - it works, but I need this ip to be just for that internal server



This Discussion