Cisco ASA Dynamic NAT with DMZ

Hi Dinh,

If you want to access your DMZ server from the inside with its public IP address, then you’ll have to configure NAT. This is something I wouldn’t recommend, though…you can use the private IP address to reach the DMZ server from the inside.

To give you an idea, here’s an example where I configure hairpinning for a server on the inside:


ASA1(config)# object network DMZ_POOL
ASA1(config-network-object)# range

==== is this supposed be 200 Please correct me if i am wrong

as the translated address is

Hi Asi,

That’s right, I just fixed this. Thanks for letting me know!


Hi Rene,

Bit confused from the show x-late command output.

Dynamic NAT
ASA1# show xlate
NAT from INSIDE: to OUTSIDE: flags i idle 0:00:33 timeout 3:00:0

With the above configuration, i can understand that the traffic is initiated on INSIDE interface that’s why it’s showing in the show-xlate output:


And now looking at port-forwarding:


show  xlate 
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from DMZ: 80-80 to OUTSIDE: 80-80
    flags sr idle 0:02:20 timeout 0:00:00

TCP PAT from DMZ: 22-22 to OUTSIDE: 10022-10022

The connection is initiated from outside trying to access the internal service on a server but still in Xlate shows:

TCP PAT from DMZ: 80-80 to OUTSIDE: 80-80

Is this hard coded - whether or not the connection is initiated from outside will it always shows the same in port forwarding?
Please explain the inverse variation in the values between these two.

Hi Asi,

I understand that this might be confusing. It’s best to let the idea of “traffic is initiated” go :slight_smile: The way you should read this is that all traffic from source IP using source TCP 80 has to be translated to source IP with source TCP 80.

It doesn’t matter if the traffic was originated from outside > inside or inside > outside. If it matches this IP/port then we translate, that’s it.


Accidentally, I have to implement a DMZ configuration on an outdated and unmaintained ASA 5510 firewall (ASA version 8.0(3)6, ASDM version 6.0). After diving into the manual and some forum posts, I’ve learned that there was a major CLI syntax change with a the 8.3 firmware.

Unfortunately, I have to implement the following config on this old CLI version, where I have three interfaces:

outside (example…)

The DMZ has one host, a web server at

I have three objectives to implement:
- to allow all outside IP addresses to access the web server at
- to translate all traffic from the outside interface to the web server at (at least port 80 and 443)
- to allow all inside IP addresses from the network to access the web server at

Could you support with the appropriate 8.0 CLI syntax?

Any help would be very much appreciated…

config t
interface gi0/0
ip address

nameif outside
interface gi0/1
ip address
nameif inside

interface gi0/3
ip address
nameif dmz
security level 50 

 object network LAN

object network DMZ

object_group service Dmz_ports
service-object destiantion TCP eq 80
service-object destination TCP eq 443

object network DMZ
NAT(outside,dmz) static service tcp 80 80 
network object DMZ
NAT(outside,dmz) static service tcp 443 443

access_list out_acz_in permit object Dmz_ports any object DMZ  
access-group out_acz_in in interface outside

Note:-Traffic from LAN to DMZ is allowed (high-to-low) but only for the inspected protocols like Telnet,http…,

So http 80 is inspected -Not to worry about.Traffic with SP:80 from LAN-to-DMZ will flow by default.

for any other traffic use the below acess-list as appropriate

//ALLOW access all ports from DMZ to INSIDE

access-list dmz_acz permit ip object dmz object inside 
access-group dmz_acz in interface inside

//Allow  access only port 443 from DMZ to INSIDE 

access-list dmz_acz permit tcp object dmz object inside eq 443
access-group dmz_acz in interface inside

please let me know on results

Hlw Rene,

I am little bit confused about the two command when using NAT:

nat(inside, outside)


Appreciate your nice clarification as always :slight_smile:


Hi Zaman,

Here’s how it works:

ASA1(config)# object network SERVER
ASA1(config-network-object)# host
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static

This basically does two things:

  • When a packet enters the INSIDE and exits the OUTSIDE, and the source IP address is then we translate the source address to
  • When a packet enters the OUTSIDE and exits the INSIDE, and the destination IP address is then we translate the destination address to

We use this so a server on the INSIDE is reachable from the OUTSIDE. We also use NAT (INSIDE,OUTSIDE) so that multiple hosts can access the Internet through a single public IP address.

Now let’s look at another example:

ASA1(config)# object network DNS_SERVER
ASA1(config-network-object)# host
ASA1(config-network-object)# nat (OUTSIDE,INSIDE) static

Here’s what it means:

  • When a packet enters the OUTSIDE and exits the INSIDE, and the source IP address is then we translate the source address to
  • When a packet enters the INSIDE and exits the OUTSIDE, and the destination IP address is then we translate the destination address to

This can be useful if you want hosts to be able to reach some external server using an internal IP address. When an internal host tries to reach, then it will be translated to (Google DNS).

Hope this helps!


by default FW allow from Inside to DMZ, so that means I am from Inside network and I can RDP to my windows server in DMZ. it can be bad in some cases,
and if I want to block RDP from Inside to DMZ I will need to configure and access list?

Thank you

Hi Hoan,

That is correct, it is permitted because you go from a higher to a lower security level. If you want to block this, you have to use an access-list. I have an example here:

Look for the “deny traffic from inside” section.


Hi Rene
I have confgiure Dynamic NAT on ASA version 8.4(2), As i enable debug it show that NAT are working fine, but I can notping from INSIDE to OUTSIDE , As i debug traffic already reach destination with source IP as NAT and return back and it was drop on ASA. Could you help me about this? As It’s return traffic it should be allow.

Hello Heng,

Have you tried packet-tracer on the ASA? That should give you a reason why the ASA drops it.


Maybe slightly off topic. I have a need for a DMZ Server to initiate communications with a LAN (inside) server. How can i go about doing this?

Hello Richard

By default, communication from lower security level areas to higher security level areas on an ASA are blocked. The only way to get a server in the DMZ (lower security level) to communicate with a device in the LAN (higher security level) is to create the appropriate access lists to allow such a communication. The access lists should be configured to allow the appropriate parameters (ip addresses, protocols etc) and even more importantly, to make sure that all other undesired traffic is blocked.

Such a configuration is typical when you have a web server in the DMZ and the SQL database that it uses within the LAN. The web server will need to query the SQL server to display the appropriate content. IN such a case, an access list similar to the following can be employed in the ASA:

access-list DMZ_WEB line 1 extended permit tcp host object inside-network eq sqlnet
access-list DMZ_WEB line 2 extended deny ip host inside-network

where is the web server and the inside-network object refers to the internal LAN network. Note that only sqlnet or SQL database traffic is allowed from the DMZ to the Internal network.

I hope this has been helpful!


Hello there,

I am kind of new in networking field.
I have configured ASA dynamic NAT with DMZ as per Unit 2.
for some reason I can’t telnet into R2 and R3, gives me error “connection refused by remote host”
if you can help me out please.

Hello Ankit

First of all, if R3 gives you the “connection refused by remote host” error, this means that your session has reached R3 successfully, however, R3 has been configured not to respond to telnet sessions. Have you tried ssh? It depends on what protocol you have enabled for the CLI communication with the device.

As for R2, from device are you attempting to connect to R2? Are you going through the ASA? It may be that the NAT is not functioning correctly or that some ACLs have not been configured correctly. Take a look at your config once again and compare with the lesson. Let us know your findings so we can continue helping you with the troubleshooting…

I hope this has been helpful!


I have slightly confused myself … particularly as my ASA 5500 image in GN3 has issues … does one need a routing protocol running on the ASA or does defeat the object of using NAT?
Many Thanks

Hello Frank

You can choose to run a routing protocol on the ASA or you can choose to employ static routing, it makes no difference. ASA devices inherently contain routing functionality since they have interfaces on multiple subnets. Routing is required for any communication between these. This does not affect NAT as NAT’s purpose is somewhat different. You just have to keep the order of operations clear in your mind whenever configuring combinations of NAT and routing, such that you know what is applied first, NAT or routing, and in which direction. The following document clarifies the order of operations.

I hope this has been helpful!


Thanx Laz
I have been out of the cisco world for some time… If ip routing is enabled on the ASA but no static routes or protocol and attached routers set up with default routes should it still work?