Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need Help With ASA Rule

ASA running 8.3(2)

Want to be able to hit an internal IP addy from the outside.  ONly need access to port 5001.

Generally, I would do something like this (assume internal is, external is and port is 5001)

access-list inbound permit tcp any host eq 5001
static (inside,outside) tcp interface 5001 5001 netmask 0 0

With the second command I get an error about "This syntax of nat command has been deprecated".

So I have tried this:

object network remote-test


 nat (inside,outside) static service tcp 5001 5001

But I am not getting there.  Am I missing anything else I need to add (maybe an acl list)?

Appreciate any help!


Cisco Employee

The configuration that you

The configuration that you are using is for code <8.2 there was a major change on the syntax on code 8.3 and above:

Please have on mind that on the access-list we permit the traffic now to the private IP of the server instead of the public.

The configuration will look something like this

Object network Public server


Object network Private_server


Object service 5001

service tcp source 5001

Nat (nside,outside) source static Private_server Public server service 5001 5001

Hope you find this information helpful.

New Member

Jose, that looks awesome.  Is

Jose, that looks awesome.  Is there any command I can issue inside the ASA that would show me if this connection is in fact being "hit"?  I am wondering if I don't have something else in between me and the ASA. 

I say this because, from the top of "sho run":

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1

Cisco Employee

You may run the packet tracer

You may run the packet tracer command. This will tell you the traffic can be permitted. Other than that you can setup a packet capture on in and outbound interface to confirm the traffic is actually permitted.

packet-tracer input outside tcp (source ip from the internet) 1025 (Public destination)  5001

packet-tracer input outside tcp 1025  5001

This is the example of access list that I missed earlier.

access-list inbound permit tcp any host eq 5001

This are the instructions for packet capturing:

"show conn" and "show xlate"

"show conn" and "show xlate" will let you verify if connection is in the table and if NAT is taking place. 

CreatePlease login to create content