Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Web traffic to internal www server through a Cisco ASA 5510

Hi there,

I've been using Cisco PIX for quite some time and didn't had any problems with it. We needed a new firewall for another site and our supplier said that PIX is nearing EOL and recommended to us the ASA. And now my problems.

We have an ASA 5510 with Software Version 7.0. I'm trying to configure the FW to enable web traffic to a server on the internal network. Normally, what I would do with a PIX is just to add the following and it works:

access-list inside_access_to_out permit tcp any host 203.36.xx.xy eq www

static (inside,outside) 203.36.xx.xy 192.168.xx.xy netmask 0 0

apply the access list to the outside interface then clear xlate and it works. With the ASA 5510, I tried doing it and it does not work. Anything else I should be doing to make it work? I checked on the Cisco ASA page and tried the configuration examples there and still didn't work. I found one configuration example which is new to me thinking that it might be the right solution for me and still it did not work. I reverted to configuring it the "PIX" way.

I don't know where to look at. I didn't expect that there would be much difference with ASA and PIX (is there?).

Please see attachment for the configuration. Any help will be very much appreciated.

Thanks in advanced.


New Member

Re: Web traffic to internal www server through a Cisco ASA 5510

hi pls tell the output of the command

sh run nat-control.

or enable nat-control command in the config mode and see.




Re: Web traffic to internal www server through a Cisco ASA 5510

Hi Jason,

Your config is fine. The ASA works identically to the PIX (they actually run the same image :-)

I would first enable a capture to make sure packets destined to the web server are reaching the ASA. Once verifying that, then check the syslogs to verify the connection is built, and the reason that it gets torn down. That will shed more light on the issue.