Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Securing inbound traffic when using PAT


Cisco ASA 5520 is used in our company network.we are distributing internet by using PAT against one global "public"ip address at outside interface of ASA.

Actually the ip address of our proxy server is PAT within ASA5520

Now we want to apply ACL to filter some ports.But ACL didn't work bec: i used the local ip address of proxy server as a source address in the ACL.

So what is the way to block some ports so that LAN clients can't use these port services.I mean what ip address should i put in the ACL's source address.

Kindly resolve my problem.I will be thankful to u.


Re: Securing inbound traffic when using PAT

Could you post your config and explain what you are trying to achieve. Do mask your IP addresses before posting here ;)



New Member

Re: Securing inbound traffic when using PAT

here is the configuration

nat configuration

nat (inside) 1 ppp.ppp.ppp.ppp

global (outside) 1 ggg.ggg.ggg.ggg

route outside ggg.ggg.ggg.ggg 1

"""where ppp is our private lan address and ggg is our global ip address"""

ACL is:

access-list inbound_traffic_on_outside extended permit tcp any host ppp.ppp.ppp.ppp object-group tcp_ports

applied on:

access-group inbound_traffic_on_outside in interface outside


Re: Securing inbound traffic when using PAT

Ok .. looking at the scenario, it seems that ppp is your private lan address range, and you want that this lan range should not be able to access some specific ports. Please correct me if wrong.

Lets say you want that local lan users shouldnt be able to access FTP services on internet. For this you could use following commands-

access-list outbound deny tcp any any eq 21

access-list outbound permit ip any any

access-group outbound in interface inside

However, if your goal is to block someone from outside trying to access something behind PIX, you dont need to do anything to the default configuration.

Let me know if I understood and answered your concern correctly.



CreatePlease login to create content