Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access rule and NAT

I have cisco ASA 5510 and am using ASDM

I am new to ASA and  am trying t understand on what to do for the below

1. I have public ip  ---------> FW------> ( Apool interface )

for this to work would i need an Access rule and NAT  rule both ? i need to open up the port for tcp. If something is being sent out of i need to do NAT to

i have 2 interface external and Apool (192.168.10) and spool 192.168.30 network

a) NAT rule will be for interface Apool  correct? is the static NAT 2 way ? meaning

how the traffic comming from outside knows that it will need to go to

if i set the NAT rule below it seems that whatever is sent from the ip needs to translate to but how does it know that the traffic from outside sent to needs to go to

interface: App pool



interface: external


b) how do i allow traffic from public ip to communicate with 192.168.10 which is behind FW

I added Acceses rule for interface external







  • Firewalling
Hall of Fame Super Blue

Access rule and NAT


What exactly is the TCP port you need to allow  ie. what application is on that you want to allow access to from the internet.

Do you have access-list configured on any interfaces already ?

What version of software are you using ?


New Member

Access rule and NAT

Hi I am using ASDM 6.2  i need to enable ssh port 22 it is an sftp server

Hall of Fame Super Blue

Access rule and NAT


Unfortunately i'm not familiar with ASDM. Attached is the config guide for ASDM for setting up static NAT -

you would also need to add a rule to the acl applied to your outside interface (assuming you have one) to allow the traffic.

If you are happy to use the CLI i can supply the actual commands. If you want to do this can you post your current config or tell me which version of software is running on the ASA.


New Member

Access rule and NAT

Hi Here is the show version

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(5)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"

oshac5510fw up 247 days 1 hour

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

Slot 1: ATA Compact Flash, 512MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Hall of Fame Super Blue

Re: Access rule and NAT


static (inside,outside) tcp 22 22

access-list outside_in permit tcp any host eq ssh

couple of points -

1) i have assumed that is reachable from the inside interface

2) if you already have an acl applied to the outside interface then change the name of the acl in the above. If you don't have an acl applied to the outside interface you need to add this additional command -

access-group outside_in in interface outside