Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505: Nat Vs ACL

I have success with my setup internally (within the inside LAN traffic is fine). With one static public IP address, I can get out to the internet from the inside LAN and the DMZ (excellent). However I have no success for outside users (on the internet) to access my servers within the inside LAN :-((


.Q1. Does the firewall rule apply BEFORE or AFTER the NAT rule. Discussion. For port translation to work, in one of my NAT rules the incoming port needs to be translated from xx, to yy in my setup. The reason being is the yy is the port setup on the server but a group of external users cannot go out on that port (they are limited to their outgoing services, one of which is XX).  Thusly one of the firewall rules allows the translated service (and that user) to access the server.  If the firewall rules are applied first, then I have to additionally allow the initial incoming port.


.Q2.  What is correct format for static NAT RULE........  (allowing external user (any) to access an internal server on a inside lan host (private IP).

-A.  nat (outside,main-lan) source static any any destination static ISP-Assigned-WANIP tfs-server OM2 OM2


-B. nat (outside,Main-Lan) source static any any destination static tfs-server tfs-server service OM2 OM2

CreatePlease login to create content