Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PAT problem


we have a problem. we have a router which performs NAT, and behind router we have ASA. in inside we have a server. we need requests which come to our outside interface with port number 9000 convert to server ip with port number 443. we do port address translation on router :

ip nat inside source static tcp 443 interface GigabitEthernet0/0 9000

and on ASA we permit everything for test.

but our config doesnt work. what should we do?


PAT problem


can you provide the config of the ASA.



Don't forget to rate helpful posts.
New Member

PAT problem


ASA Version 8.2(1)


hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0/0

nameif outside

security-level 0

ip address


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0


no nameif

no security-level

no ip address


ftp mode passive

access-list 111 extended permit ip 255.25                                                                             5.255.0

access-list out_to_in extended permit tcp any host eq smtp

access-list out_to_in extended permit tcp any host eq www

access-list out_to_in extended permit tcp any host eq https

pager lines 24

logging enable

logging timestamp

logging list my-list level debugging class vpn

logging trap my-list

logging host inside

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list 111

access-group out_to_in in interface outside

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server CiscoAsa protocol radius

aaa-server CiscoAsa (inside) host

key 1q2w!1q2w

radius-common-pw 1q2w!1q2w

http server enable

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign local

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


group-policy RAVPN internal

group-policy RAVPN attributes

dns-server value


vpn-idle-timeout 45

username risk password WJjW/emCr.pCrXeq encrypted

tunnel-group vpnclient type remote-access

tunnel-group vpnclient general-attributes

authentication-server-group CiscoAsa

default-group-policy RAVPN


tunnel-group vpnclient ipsec-attributes

pre-shared-key *


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp


service-policy global_policy global

prompt hostname context


: end

PAT problem


Can you provide show ip nat translation output from your router as well? Most important to look at is, if the translation is happening. There could be a chance that the traffic is really not coming in with Port 9000 on the router. Hence translation doesnt happen.

New Member

PAT problem

Router#show ip nat translations

Pro Inside global      Inside local                   Outside local           Outside global


tcp  ---                ---

and asa access-list:

access-list out_to_in line 1 extended permit tcp any host eq smtp (hitcnt=1) 0x8c8a5270

access-list out_to_in line 3 extended permit tcp any host eq www (hitcnt=0) 0x66a8840a

access-list out_to_in line 4 extended permit tcp any host eq https (hitcnt=5) 0x66546073