Cisco Support Community
Community Member

back to back firewall nat translation

I have a asa5525 and a cisco 887 router

i want to lab out a scenario where i can test the nat translations specially for ftp and www.

so i have a real external IP address where I telnet to port 80 for one webserver and port 21 to a differnet one

in the hope that the 887 will translate that to an ip in the 3750 which is then connected to the 5525 with another lan behind.


lets say my real external ip is /30 the cisco887 is configured to  translate that inside.


ip nat inside source static tcp 23 interface Dialer1 21

ip nat inside source static tcp 80 interface Dialer1 80


then i have another vlan SVI network inside my 3750 layer 3 switch running eigrp of which is my pretend address( i have actually used the ISP real address internally for testing purposed but it is not advertised outside)

so that means the outside interface of the 5525 is

internal interface is /24

client is at and


so i want to be able to telnet from the REAL internet on port 21 and hit port 21 and hit on port 80

So the translation to the actual interface of the outside of the 5525 works, but when i use another address in the network it doesn't.


I have objects created in the ASA for the and


Any ideas what sort of config i need on the 5525 to get this to accept a translation from something other than the outside interface.

i have firewall rules of any / any 


This is version 9.1


Everyone's tags (1)
VIP Super Bronze

How about if you assign a

How about if you assign a prefix-length to the public ip range

something like this:

ip nat pool test prefix-length 3

ip nat inside source list 10 pool test

access-list 10 permit host or 20


Community Member

OK so it good to not skip

OK so it good to not skip parts of a FW build

I was having difficulty with HA replication and lost interest in getting that working so i moved onto the firewall rule part which was bailing out on me.

So i went back to the config and I couldnt work out why when i wrote the rule either in CLI or in the ASDM it didnt actually appear in the config.

It would appear that my lack of replication between the two firewalls was the issue .I was writing the config on the firewall that wasnt participating in dealing with the packets.

Once I have fixed the active active replication the issue went away and i could create rules and test well.


So the moral of the story is not to skip parts of a FW build out...

thanks for your suggestions..


CreatePlease to create content