Cisco ASA NAT Port Forwarding

(Rene Molenaar) #1

This topic is to discuss the following lesson:

Cisco ASA Static NAT Configuration
(Ralph P) #2


Your scenario explains forwarding traffic to port 22 for SSH, but further down in your configuration example you are using port 25 for SMTP. Any reason for the change between the scenario and the example configuration??

(Rene Molenaar) #3

Hi Ralph,

That was a typo, I just changed port 25 to 22. Thanks for letting me know!


(Mohammad Taslim M) #4

Hi Rene,

Thank you for the explanation.

I have a question.

In this tutorial, you are using PAT for sending traffic from Outside to DMZ. However, if I want to use PAT for sending traffic from DMZ to Outside, how should I do the configurations ?

Thank you


(Rene Molenaar) #5

Hi Taslim,

Hmm why would you want to do this? :slight_smile: We use PAT in this example so that someone on the Internet is able to connect to a public IP address on the outside so that we can reach our DMZ servers with private IP addresses.

Our DMZ servers can reach the Internet by using “regular” NAT.


(Harmit V) #6

Hi Rene,

Diagram needs to be updated to for lan subnet.

(Harmit V) #7

I mean

(Rene Molenaar) #8

Hi Harmit,

Thanks, I just fixed the text so it matches the diagram.


(ratha c) #9

Base on this configuration, it working with ASA 8.4 or later.

Can you show me if ASA 8.2 or older, how to configure ASA 8.2 or older?

(Rene Molenaar) #10

It should be something like this:

static (DMZ,OUTSIDE) tcp <outside ip> <port> <inside ip> <port> netmask

(Paul B) #11

Hi Rene,


Is there any reason given by Cisco as to why the order of operations was changed on the Asa 8.3 code?

The real ip’s in the acls and the post natt’d port numbers etc


(Rene Molenaar) #12

Hi Paul,

Not that I know of, I tried looking it up but couldn’t find anything.


(juan i) #13


Hi Rene… For some reason when trying to telnet from my outside router to my http server I keep getting error message “Connection refused by remote host” I was able to successfully ssh into my ssh server. Also I am able to telnet from ssh server to http server so I know the configuration is correct any idea ?

Thanks in advance.

interface GigabitEthernet0
nameif DMZ
security-level 50
ip address
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address
object network WEB_SERVER
object network SSH_SERVER
access-list DMZ_SERVERS extended permit tcp any host eq www
access-list DMZ_SERVERS extended permit tcp any host eq ssh
object network WEB_SERVER
nat (DMZ,OUTSIDE) static interface service tcp www www
object network SSH_SERVER
nat (DMZ,OUTSIDE) static interface service tcp ssh ssh
access-group DMZ_SERVERS in interface OUTSIDE
class-map icmp
match default-inspection-traffic
policy-map icmp_policy
class icmp
inspect icmp
inspect http
service-policy icmp_policy global

(Rene Molenaar) #14

Hi Juan,

Your configuration is looking good to me. SSH from OUTSIDE to DMZ is no problem?

Is it possible it’s something else? perhaps no route or default gateway on the HTTP server pointing to your ASA?


(juan i) #15


Correct SSH from OUTSIDE TO DMZ is working fine… I configured my hhtp server (Router 2) to allow ssh with the following command

access-list DMZ_SERVERS extended permit tcp any host eq ssh

Now I can remote in but by using the routers IP ex:(ssh -l Cisco for some reason my ASA is no nating/port forwarding to my http server

ciscoasa# show xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from DMZ: 80-80 to OUTSIDE: 80-80
    flags sr idle 0:05:12 timeout 0:00:00
TCP PAT from DMZ: 22-22 to OUTSIDE: 22-22
    flags sr idle 0:09:33 timeout 0:00:00
ciscoasa# show nat

Auto NAT Policies (Section 2)
1 (DMZ) to (OUTSIDE) source static WEB_SERVER interface   service tcp www www
    translate_hits = 0, untranslate_hits = 23
2 (DMZ) to (OUTSIDE) source static SSH_SERVER interface   service tcp ssh ssh
    translate_hits = 14, untranslate_hits = 6

not sure why!!!

(Rene Molenaar) #16

Hi Juan,

Your ASA configuration does look ok and seems to translate HTTP traffic. If you enable a debug IP packet (with an access-list) or debug ip http can you see anything?

Using packet tracer on the ASA also helps to check if you have any errors.


( n) #17

Hi Rene

I do the lab again and set the default route to the firewall.
I can check port 80 on the Web Server by you command in this example “telnet 80” but I can’t use “ssh -l cisco -p 10022” from R2 to outside ip of firewall.
I dont know why is it?

I think it should be nat static to SSH server

Please help me resolve this!

Thank you!

(Rene Molenaar) #18

Just a couple of things to check…

  • Can you SSH from the webserver into the SSH server? that proves SSH is working.
  • Do you have a default route on the SSH server towards the ASA?
  • Do you see a matching entry in show xlate?

(asi m) #19

Not sure I am correct,but this should allow telnet from outside
config t
telnet outside

(asi m) #20

This might be correct

config t
telnet outside