Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Access Rule when ASA is BEHIND another router

OK, I have this issue where we have a need for some Bandwidth combining and failover, etc, so the client has a TP-Link installed.  From there it goes to the ASA, and from the ASA to the local LAN.

Customer has a camera system he wants to be able to see remotely.  Normally I would add an entry to the ASA along the lines of "traffic for my WAN port destined for port 5601 should be forwarded to".  However with the TP-LInk fronting things, I need a little deep thinking....

On the TP-Link I can create a rule like that, but I am thinking on the TP-Link I want a rule like:

Traffic for for WAN1 Port 5601 should be forwarded to ASA Outside IF (

On the ASA I would add a rule that says traffic for Port 5601 should be forwarded to

What do you think?  Am I "barking up the right tree" at least?

Cisco Employee

I understood this: Inside

I understood this:


Inside camera ( Public:5601)


So , You will need to do static PATs along the path as you already mentioned. In the ASA for example:

object network obj-
nat (inside,outside) static service tcp 5601 5601

In the TP-Link you translate from to public WAN IP in port 5601. Also dont forget the ACL entries allowing that port from lower security level to higher.



CreatePlease to create content