Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

outside nat (destination nat)


It is my first post here, so sorry if I'll mess up something.

I have rather simple thing, but I've lost hours trying to implement it on FWSM.

I need to configure NAT on destination IP address only for requests coming from outside.

The packet which will hit the firewall looks like:



It will hit outside interface with security level 20

I want the firewall to translate the DST IP of that packet, so the packet on the inside interface will looks like:




Then the server has route to 10.111/23 and will reply to the firewall, and I expect that the firewall will use it's xlate table to NAT back that packet so it will looks like it originated from Unfortunately no answer from the server (Bs flags)

Here is the config:

static (inside,outside)

I got hitcounts on the access-list from the outside, and I got xlate entry and a connection entry.

fwsm/fw# show xlate debug | inc 192.168.252
NAT from inside: to outside: flags Ii idle 0:01:28 timeout 3:00:00 connections 0

show conn | inc 192.168.252
TCP out in idle 0:00:10 Bytes 64 FLAGS - Bs

Can someone enlighten me, what I'm doing wrong? Should I have to use policy NAT in order to do 1 to 1 NAT on destination IP address only?


Everyone's tags (3)

Re: outside nat (destination nat)


The static command that you have:
static (inside,outside)

What is saying is that if somebody hits from the outside, the Firewall
will translate that IP to and viceversa

Is part of the inside of the Firewall?
In other words, is the real IP for the internal device?
Can you get out to through the Firewall and get a response if you source the packet from

You mentioned that the FW has a route to 10.111.x.x (where the packet is coming from),
but the device has a route to 10.111.x.x pointing to the Firewall?


New Member

Re: outside nat (destination nat)

Thanks Federico! is on the inside.

Yes, it is IP of a real device.

Yes, I see connections made from on another interfaces. I dont have access to that host to try to source a packet from it.

Yes, the device has a correct route to 10.111.x.x.

What the firewall doesn't have is a correct route to 192.168.252.x. It has a default route.

The 192.168.252.x addresses are used only for NAT (there's no hosts with such IP addresses)

How can I check what is the packet destination IP address after the NAT? Is that info in xlate table? I dont quite understand this info in xlate table:

NAT from inside: to outside: flags Ii idle 0:00:29 timeout 3:00:00 connections 1

Last question: If the firewall dropped the packet due to routing issue, will I always see syslog message example: "ASA-6-110001: No route to a.a.a.a from b.b.b.b", or that is not the case? I do not see that message in syslog.


New Member

Re: outside nat (destination nat)


I had some sleep, and first thing in the morning removed that line and re-applied it again.

Now I have the correct xlate entry:

NAT from inside: to outside: flags si idle 0:00:33 timeout 0:01:00 connections 0

Note that the "s" flag is in xlate, compared to I flag, and the IP addresses are correct.
Honestly I dont know what I had wrong there, and I'm sure I've tested last night with this config and didn't work.

Thanks for your help!