Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 NAT issue

I am trying to get a cisco asa 5505 up and running but every time I try to create a NAT for the servers, the NAT will not work and the server loses communication. I have pasted my running-config in hopes that it's something simple that I have overlooked.


Thank you in advanced for any help!



: Saved

: Written by enable_15 at 02:51:41.439 CDT Tue Mar 25 2014


ASA Version 9.1(4)


hostname goode-ciscoasa


enable password zaPfq2iO5oGgF4HK encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address x.x.x.217


boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS


object network obj_any


object network EXCHANGE1


description EXCHANGE1

object network EXCHANGE2


description EXCHANGE2

object network EXCHANGEHOSTED



object network QUICKBOOKS


description QUICKBOOKS

object network FILESERVER


description FILESERVER

object service CRM-42001

service tcp destination eq 42001

 description CRM-42001

object service RDP

service tcp destination eq 3389

 description RDP

object-group service EXCHANGE-PORTS tcp

description imap

port-object eq www

port-object eq https

port-object eq 55

port-object eq imap4

access-list global_access extended permit ip any

access-list global_access extended permit tcp any object EXCHANGE1 object-group EXCHANGE-PORTS

access-list global_access extended permit tcp any object EXCHANGE2 object-group EXCHANGE-PORTS

access-list global_access extended permit tcp any object EXCHANGEHOSTED object-group EXCHANGE-PORTS

access-list global_access extended permit object CRM-42001 any object FILESERVER

access-list global_access extended permit object RDP any object QUICKBOOKS

access-list global_access extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected


object network obj_any

nat (inside,outside) dynamic interface

object network EXCHANGE1

nat (inside,outside) static x.x.x.210

object network EXCHANGE2

nat (inside,outside) static x.x.x.211

object network EXCHANGEHOSTED

nat (inside,outside) static x.x.x.220

object network QUICKBOOKS

nat (inside,outside) static x.x.x.218

object network FILESERVER

nat (inside,outside) static x.x.x.215


nat (inside,outside) after-auto source dynamic any interface

access-group global_access global

route outside x.x.x.222 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0


dhcpd auto_config outside


dhcpd address inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily


: end



try a clear xlate for a

try a clear xlate for a particular static NAT after you appliy it


Your config is a little

Your config is a little unusual in that you're using a single access-list globally on both your interfaces, but I can't see anything obvious that shouldn't keep it from working.  The "packet-tracer" command can be exceptionally useful in situations like this, so if the clear xlate doesn't help I'd try that.