Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall translations


I have done this exercise long time ago but I can't recollect how this was done and I was wondering if somebody could shed some ideas.

I have a machine in LAN with address scheme. I like to translate this address to another private address in subnet and map a public address to this NAT'd address. So it will look like:

Cloud > Public Address> Firewall> >

Machine is physically placed in subnet and I like the firewall to route requests coming from cloud >  public address > > without physically placing the server in subnet.

Thanks in advance


Re: Firewall translations

It would be cleaner to translate the public to the 10 address, but I'll assume there is a reason that can't be done.

Cloud > Public Address> Firewall> >

static (inside,outside) [public ip] netmask

On the next hop (in red)-

Cloud > Public Address> Firewall> >

static (inside,outside) [] netmask

Hiope that helps.

New Member

Re: Firewall translations


I have a machine located in LAN with Class C private address. I have a perimeter network with its own address scheme.

I like to have the machine in LAN do a static mapping with the DMZ address, and then do a static mapping of DMZ address to the public address. I don't want to expose the machine identification by translating the internal address to public address. I want packets going out from DMZ address to Internet.

for example:


DMZ > Public address

Public address > Internet

There won't be a physical machine located in DMZ. I like to have ASA perform all the translations and routing. If required, I can plug in an entry for DNS.

How could I acheive this?

Thanks in advance

Re: Firewall translations

static (Dmz, Lan) Lan_IP Dmz_IP netmask

static (Lan, Internet) tcp interface external_ port Lan_IP internal_port netmask

I assumed you can do a 1:1 NAT between LAN and DMZ as you afford wasting 2 private IP addresses, but for Lan to Internet you do just portforward for some ports.

Don't forget the firewall !!!

access-group Internet_in in interface Internet

access-group Dmz_in in interface DMZ

And the security level

interface Ethernet0/0
nameif Internet
security-level 0
ip address Internet_IP
interface Ethernet0/1
nameif Lan
security-level 100
ip address
interface Ethernet0/2
nameif Dmz

security-level 50

ip address

CreatePlease to create content