Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 and Nat

Okay so here is my network setup. I have a 1 ASA5505 setup at a remote location. My internet/voice provider has a router at that location also to route traffic over the MPLS for our location to location traffic, and to route traffic to the internet. Because I have don't have any other layer 3 equipment there I'm using the ASA for routing traffic and for sending traffic to the internet. So basically..


Internal Router IP

External Router IP:

Other networks:

So when that station needs to go out the internet it uses the firewall forwards that traffic out of its outside interface.

When it needs to route traffic over the MPLS (say something to it routes it back out of its internal interface to

Well this was working all great and dandy until we added a server and I setup NAT and port forwarding. With that in place it seems as though its trying to NAT internal traffic that is suppose to be routed. So locally everything is fine. Externally its fine, say I want to use FTP thats okay. However anything that the firewall is supposedly routing to its like its getting translated I think and i don't know. For some reason NAT all together is breaking the routing that was working. So basically I'm stuck.. Any ideas on what I'm doing wrong?

access-list inside_nat0_outbound extended permit ip 

nat (inside) 0 access-list inside_nat0_outbound nat (inside) 3 nat (inside) 2 nat (inside) 2 static (inside,outside) x.x.x.x netmask  static (inside,inside) netmask norandomseq nailed  static (inside,outside) x.x.x.x netmask  access-group inside_access_in in interface inside access-group outside_access_in in interface outside route inside 1 route inside 1 route inside 1 route inside 1 route inside 1 route inside 1

Super Bronze

ASA5505 and Nat


Are you saying that you have your Internet connection which is attached to the ASA5505 and you also have a separate Router and both the ASA and the Router is connected to the same switched network on the LAN side.

And basically any traffic coming from LAN hosts will first reach ASA then jump back to the LAN to the gateway address of the Router at your site?

What is your ASA5505 license? Is it a Base License or Security Plus? You can confirm this with "show version" command

- Jouni

New Member

Re: ASA5505 and Nat

I hope I answer your question correctly, so here we go..

My provider gave me a router and a switch.. On their switch I have two ports, inside (gig0/1) and outside gig(0/2) pretty much.

So I connect their gig0/1 into my layer two switch, and then connect my inside interface into the same switch.. Then I connect my outside interface to their gig0/2.

Does that answer the question??

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs                       : 3, DMZ Restricted

Inside Hosts                : Unlimited

Failover                    : Disabled

VPN-DES                     : Enabled

VPN-3DES-AES                : Enabled

VPN Peers                   : 10

WebVPN Peers                : 2

Dual ISPs                   : Disabled

VLAN Trunk Ports            : 0

This platform has a Base license.

Super Bronze

ASA5505 and Nat


Where does the router come in?

You said a Provider switch is connected to your LAN switch and your ASA is also connected to your LAN switch through its "inside" interface. You also say that the ASA is connected on its "outside" to the Provider switch?

Where exactly is the router connected? Is it connected to the Provider switch? And is the router the gateway to some other local network? Is this router different from your actual internet gateway router what the ASA uses as next hop?

I am just wondering that it might be a lot easier for the ASA now and in the future if you had the connection to the other remote networks coming through a DMZ interface on the ASA. Then you wouldnt have to route traffic back through the "inside" interface.

Though with your license this might provide to be tricky depending on some things

- Jouni

CreatePlease to create content