Cisco Support Community
Community Member

Portforwarding on ASA5510 (static problems)


Does anyone have a solution for this problem?


We have two DMZ's with servers using public ip-address ranges. On our old linux-based firewall we use one of these public ip-addresses for portforwarding (different ports) to two different hosts, one on each dmz.

When I tried it on a Cisco Pix running software version 6.3 in a lab environment it work perfect but when I copied the lines to our new ASA 5510, running 7.2(1) it complains about conflicting static lines.

The config:

access-list extended Portforwarding6500 permit tcp object-group PublicServer1 650 any

access-list extended Portforwarding6600 permit tcp object-group PublicServer2 660 any

static (DMZ1,Outside) tcp 6500 access-list Portforwarding6500

static (DMZ2,Outside) tcp 6600 access-list Portforwarding6600

static (DMZ1,Outside)

static (DMZ2,Outside)

Torbjorn Hedstrom



Re: Portforwarding on ASA5510 (static problems)

If i get it right you just want to PAT two different Servers to one or two addressable ip's.

Something like this?

DMZ Server 1: -> public:80

DMZ Server 2: -> public:8080

Anyhow try it the following way.

access-list FromOutside remark ***Outside Access-Definition***

access-list FromOutside extended permit tcp any host eq 650

access-list FromOutside extended permit tcp any host eq 660

! bind the access-list on you're outside interface

access-group FromOutside in interface

! PAT server1 with port 6500 from dmz1 to the outside ip with port 650

! PAT server2 with port 6600 from dmz2 to the outside ip with port 660

static (DMZ1,Outside) tcp 650 6500 netmask

static (DMZ2,Outside) tcp 660 6600 netmask

You should end up with two addressable ports.

:650 and :660.

Community Member

Re: Portforwarding on ASA5510 (static problems)

Yes, that's the way I want it, preferably by using only one public ip for both ports but neither the Pix or the ASA will let me do that with ordanary static lines like that, it starts complaining about "WARNING: mapped-address conflict with existing static". (Actually, that seems to be related to having the machines on different interface, just now when I tried it I wrote the second static line to be on DMZ1 as well and it didn't complain, so I guess I'll just have to use two public ip's for this)

But then the next problem arise, as the hosts on the DMZ's have public ip's I have to tell the ASA not to NAT the ordinary DMZ traffic, either by a NAT 0 command or with static lines as in my fist post and then it starts to complain again with the same error (WARNING: real-address conflict with existing static)


CreatePlease to create content