Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static nat ver 9.1 droped

I got new asa 5512 with ver 9.1 on it and I am trying to do a static nat, but it did not work. here is my config:


object network hst-
 nat (inside,outside) static 173.x.x.x

object-group service svcgrp- tcp
 port-object eq 80
 port-object eq 443

access-list outside_access_in extended permit tcp any object hst- object-group svcgrp-
access-group outside_access_in in interface outside


I have applied this: nat (inside,outside) after-auto source dynamic any interface
but did not help


(I also have an old one with ver 7 with working config that I can post if that helps)


Any ideas. Thank you

Everyone's tags (1)
VIP Purple

The config looks fine.How did

The config looks fine.

  1. How did you test it?
  2. What is the output of "ping tcp 80" and "ping tcp 443" from the ASA?
  3. Can you reach the ASA from your Test-PC?
  4. What is the output of "packet-tracer input outside tcp 1234 173.x.x.x 80"?
Community Member

I test it live. I still have

I test it live. I still have the old firewall and can still switch between them. Note that server is live and can ping it: with both ports from this new ASA.


Also the packet-tracer doesn't show error when running it from the asa. but when testing it from outside it doesn't work. that ip is a static public ip available from the outside router and is working fine with the old firewall (ver 7) any other ideas?


Note: if I do - nat (inside,outside) static 173.x.x.x service www www - it works, but I need this ip to be just for that internal server


CreatePlease to create content