Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT'ing with service groups

I'm trying to optimize my nat rules for port forwarding on my ASA 5505 but it's not comming along.


I have a server which runs imap and a website - port 25 and 80.

I would like to create a service for each port, join them in a service group, and let outside traffic flow in.


So what I have is as follow:


!My server

object network testServer

!My ports

object service myImap
  service tcp source eq 25 destination eq 25

object service http
  service tcp source eq 80 destination eq 80

!A service group

object-group service testServerPorts
  service-object object myImap
  service-object object http


nat (inside,outside) source static testServer interface service myImap myImap

nat (inside,outside) source static testServer interface service http http


access-list outside_access_in permit object-group testServerPorts object testServer any
access-group outside_access_in in interface outside


However there's no love from the unit.


Anyone care to take a shot at it?

Super Bronze

Hi, You can not use those



You can not use those same "object" in both the ACL and the NAT configuration as in the NAT configuration you would only need the "source" parameter while in the ACL you would need the "destination" parameter.


To clarify, in the NAT configuration you are using we need to configure only the "source" sections port which might naturally sound a bit wierd depending how you think of the NAT configuration.


Essentially the NAT commands format is

nat (sourceint,destint) source <static/dynamic> <real source> <mapped source> destination static <mapped destination> <real destination> service <real service> <mapped service>


So if you again look at your "object service" configurations you will notice that you have mentioned both "source" and "destination" parameters. This would essentially mean that only traffic sourced and destined for those ports will match this NAT rule. To my understanding these connections dont use identical ports as their source and destination.

In the above configuration format your will notice that the first 2 sections where you configure eithe an "object" or "object-group" relate to the real source address and the mapped source address. When you think about it from that perspective you will notice that you would only want to modify/match the real port on the server and the mapped port on the firewall. Hope I made any sense :)



For the NAT configuration you have the following options in format


object service HTTP
 service tcp source eq 80

object service SMTP
 service tcp source eq 25

object network SERVER

nat (inside,outside) source static SERVER interface service HTTP HTTP
nat (inside,outside) source static SERVER interface service SMTP SMTP


Or you could do

object network SERVER-HTTP
 nat (inside,outside) static interface service tcp 80 80

object network SERVER-SMTP
 nat (inside,outside) static interface service tcp 25 25


In the above configuration we use Auto NAT / Network Object NAT where you configure the local IP address and the "nat" command under an "object network". I will it to you to device which format you use. Your original NAT configuration is a Manual NAT / Twice NAT format which uses different objects but is not configured UNDER any object.


For the ACL you could do for example

object-group service SERVER-PORTS
 service-object tcp destination eq www
 service-object tcp destination eq smtp

object network SERVER

access-list outside_access_in permit object-group SERVER-PORTS any object SERVER


Hope this helps :)

Let me know how it goes


- Jouni