Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 post 8.3 static NAT with least amount of config

Hi, please give me a working config with least amount of code for:

IOS post 8.3

Subnet: /24

Static NAT (from any source) to server and allow the same incoming connections on outside interface


TCP 20,21

TCP 80

UDP 50000-50020


New Member

Re: ASA 5505 post 8.3 static NAT with least amount of config

Made up your public single wanip address

interface Vlan2

nameif outside

security-level 0

ip address 12.123.456.230

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1

object network obj_any


description: Default Applied by router ---> dynamic pat for lan

(this one the router makes by default when you reset the router)

(it allows users behind the router and on the lan to make use of the internet)

object network Server-PC

(identify the pc hosting the servers)

object service UDPconnections

service udp destination range 50000 50020

object service webport

service tcp destination eq www

object service ftpconnect

service tcp destination eq ftp

object service ftpddata

service tcp destination eq ftp-data

(identify the services being used- www, ftp, and ftp-data are defaults already available - 80, 21,20)

object-group service AllServers

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data
service-object object udpconnections

(will be used for our ACL rule)

ACL rules are easy peasy using the OUTSIDE (incoming rules).

access-list outside_access_in extended permit object-group AllServers any object udpforwarding

(this allows any outside user through on those services to the server pc. I recommend delineating as much as you can the users that are allowed through on the acl rules.)

Next you will see the automatic router default dynamic pat rule.

object network obj_any

nat (inside ,outside) dynamic interface

NOW CREATE port forwardings for each port being used via network objects with nat applied.  Its applied to the outside interface.

object network WebForwarding

nat (inside,outside) static interface service tcp www www

object network FTP-Forwarding

nat (main-lan,outside) static interface service tcp ftp ftp

object network FTPdata-Forwarding

nat (main-lan,outside) static interface service tcp ftp-data ftp-data

object network UDP-Forwarding


My dilemma is I have no idea how to forward a range of ports?

SOLVED simply put in range of ports vice single port in syntax:   30000-30020     30000-30020

After all the nat rules you need the group access rule under which the above access rule was made

access-group outside_access_in in interface outside

Then you need the default route outbound so that your router knows where to send to the next hop past the outside interface, typically this is the ISP gateway IP adddress.

route outside 12.123.456.225 1

CreatePlease login to create content