Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Static route


i have a asa 5510 device

int0 is connected to ISP1

int1 is connected to lan (

ASA is configured to nat(PAT) lan.

what is the problem:

i need to configure asa to route all traffic to lan through

i configure on device a static route:

route inside 1

the problem is if i ping which is a valid host the asa report portmap translation creation failed for icmp source inside dst inside

if i put on a computer the gw and i ping it works.



Re: ASA 5510 Static route

Can you post a sanitized config?

New Member

Re: ASA 5510 Static route

: Saved


ASA Version 7.2(3)


hostname ASA


enable password xxxxxxx encrypted


name 80.xx.xx.70 AdrsPublica

name ITManager

name 80.xx.xx.65 Router2821


interface Ethernet0/0

nameif WAN1

security-level 0

ip address 80.xx.xx.66


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxxxxxxxxxxxxx encrypted

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS


same-security-traffic permit intra-interface

access-list WAN1_access_in extended permit ip host Router2821 host 80.xx.xx.71 log emergencies

access-list inside_access_in extended permit ip any

access-list inside_access_in extended permit ip

pager lines 24

logging enable

logging asdm informational

mtu WAN1 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface WAN1

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400


global (WAN1) 101 interface

global (WAN1) 120 80.xx.xx.71 netmask

nat (inside) 101

static (inside,WAN1) udp 80.xx.xx.71 tftp ITManager tftp netmask

access-group WAN1_access_in in interface Idilis

access-group inside_access_in in interface inside

route WAN1 Router2821 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http management

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address management



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp


service-policy global_policy global

username alex password xxxxxxxxxxxxxxxxxxxxxxxxx encrypted privilege 15

prompt hostname context


: end

asdm image disk0:/asdm-523.bin

no asdm history enable


Re: ASA 5510 Static route

The problem here is you are attempting to hairpin the traffic on the inside interface. You were right by adding the same-security-traffic permit intra-interface command but you need a little more.


static (inside,inside) netmask

global (inside) 101 interface

Adding the global statement with the corresponding nat statement will ensure the reply from the network will be routed back to the inside of the ASA, which will then be routed back to the source 10.100.100.x.

New Member

Re: ASA 5510 Static route

done work



Re: ASA 5510 Static route

Does that mean it worked or it did not work? I hope it did.

New Member

Re: ASA 5510 Static route

it worked

Thank you very much

But i have another question

I have 2 ISP.

I want to configure the int 0/3 with an ip address from the second provider. The allocated ip address is 82.76.xx.xx/ the dns form this provider is 193.231.236.xx. i want to config the asa to nat all request that go to dns(193.231......)through 82.76.xx.xx

it is possible?

thank you