Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

asa 5510 cant make PAT

according to this document I do port translation through CLI and I have following config:

ciscoasa# show run access-list

access-list local standard permit any

access-list outside_access_in extended permit tcp any object http-155

ciscoasa# show run access-group

access-group outside_access_in in interface inet

ciscoasa# show run nat


object network http-155

nat (local,inet) static interface service tcp www 5010


nat (local,inet) after-auto source dynamic any interface


host has IIS running on itself and it gives plain HTML page

when I try to run packet-tracer from my ASA 5510 I recieve ALLOW on all stages and on Phase: 2  UN-NAT I recieve ALLOW and "

Untranslate A.B.C.D/5010 to" action (output in attachment)

then I check ports on port scanner it shows "5010 is opened"

BUT in browser I cant recieve HTML page from when I try to achieve http://A.B.C.D:5010

Where is my mistake?

New Member

asa 5510 cant make PAT

all trafic from interface local to interface inet walks without problems/ The security level of inet is 0. And of loal is 100. Because of it I haven`t add access rule in direction from local to inet. Is it right?


asa 5510 cant make PAT


for accessing a publicly natted service from inside by its natted IP address you have to do hairpinning otherwise you can also do dns doctoring by adding the dns keyword to your static PAT config then you access the service by FQDN from inside and the ASA will intercept the DNS reply from external DNS server and rewrite the  public IP obtained to the private address from your static PAT entry.

Here are the links explaining the 2 concepts:

Don't forget to inspect dns for the dns doctoring solution.



Don't forget to rate helpful posts.
New Member

Re: asa 5510 cant make PAT

I cant access my service from outside also. I`ve tryed to use different anonymouse services, but without success (

for example from

My access and nat rules dont work

I`ve tryed to access http://A.B.C.D:5010


asa 5510 cant make PAT


do this:

(config)#access-list cap_inside extended permit tcp any any

(config)#access-list cap_outside extended permit tcp any any

#capture capin interface inside access-list cap_inside

#capture capout interface outside access-list cap_outside

try to access again from outside and  do this and post results

#show capture capin

#show capture capout



Don't forget to rate helpful posts.