Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA NAT Problem

Hi all,

In my scenario I have a remote server communicating with a private local server open to the world via static NAT.

Remote server:
ASA Outside:
ASA Inside:
Private Server:

I have configured static NAT to allow outside connections in to the private server. The private server is a linux host with a default gateway pointing to another device in the LAN on IP address

So as to not add static routes on the linux host pointing towards the ASA for each destination the Private server will be replying to, I am looking to change the Remote servers IP address using NAT during the initial connection.

This would mean the packet has the following details before NAT:

Source IP:
Destination IP:

After NAT, the packets should have the following details:

Source IP:
Destination IP:

Rather than:

Source IP:
Destination IP:

Is this solution possbile on a Cisco ASA?

Many thanks.

Everyone's tags (1)
Super Bronze

Hi, It should be possible. At



It should be possible. At the moment I am wondering what your ASA software level is though? This is a little simpler to handle in the new ASA softwares (8.3 and above) and the older ones (8.2 and below)


In the new software you would use the following configurations. In your case though I would probably use some free IP address from the subnet for this NAT rather than the ASA interface.


object network SOURCE-REAL


object network SOURCE-MAPPED


object network DESTINATION-REAL




nat (inside,outside) source static SOURCE-REAL SOURCE-MAPPED destination static DESTINATION-MAPPED DESTINATION-REAL


This "nat" configuration would do translation to both the source and destination IP address. Looking at the above NAT configuration we would see that traffic coming from DESTINATION-REAL towards SOURCE-MAPPED would have the effect that the SOURCE-MAPPED would get untranslated to SOURCE-REAL and DESTINATION-REAL would get translated to DESTINATION-MAPPED.


Naturally me using the terms SOURCE and DESTINATION in the "nat" configurations might create some confusion depending from which "direction" you are actually looking the situation from. You should naturally use different "object" names to make the configuration easier to read for you. That is if you are using the new software?


Hope this helps :)


- Jouni

New Member

Hi Jouni,Thanks for that.We

Hi Jouni,

Thanks for that.

We are currently using ASA 8.2.

I know we're talking about 8.3 here; however would this solution not require every possible destination to be added to the DESTINATION-REAL object? This wouldn't be a problem for us as we only have a small amount of possible DESTINATION-REALs (remote servers only accessible over site-to-site VPN).

I understand the best solution would be to simply change the default gateway on the internal server, just curious if this would be possible in an 8.2 environment without any changes to hosts.

CreatePlease to create content