How do I configure NAT/ACL on Cisco ASA 5510?

Posted on 2009-02-11
Last Modified: 2012-05-06
I'm currently playing around with a CIsco ASA 5510 and the device keeps dropping packets I'm trying to pass on to another router. I've attached a basic image of the network and as you can see it is fairly straight forward.

All I'm trying to do is allow HTTP/HTTPS traffic from the 'external' network ( through to the internal network ( and vice versa. The static route has been entered (145 traffic to be sent to From the internal network I can access the device so I know it can talk to it ok, but as soon as I try to use the packet trace app on ASDM it drops all the time due to ACL's so I cant hit the 145 network.

I'll probably need to post the config but I was hoping someone might be able to put together the CLI bits I need so I can go through and understand what I've missed.
Question by:v0r73x
    LVL 33

    Expert Comment

    The code would help.   But basically to allow traffic from a lower security interface (the outside) to the higher sec interface (the inside), you need to create a static map for 1 internal IP mapped to either an external ip or by using a port forward on the firewall's interface.    Once the internal machine is mapped to an external IP, you must create the ACL to allow specific traffic onto the Static map.  

    Have a look here:

    That is an explanation using a DMZ, but the process is exactly the same for the inside network.  


    Author Comment

    What I'm hoping to acheive is any network user in 192 to access the 145 network. So I didn't think the Static NAT would work for this?

    At current a NAT Expempt rule exists for 192 to 10 and I can access the 10 network. Unfortunately I cant get out to 145 from 192 yet.

    It's probably just me confusing myself, I'll tidy up the config and post shortly
    LVL 33

    Accepted Solution

    There is a feature in ASA to permit traffic to flow on interfaces with the same security level:  Look at the bottom of that page for the commands.    

    Kind of defeats the purpose of having a firewall here...   A router would probably be a better choice unless there are interfaces that you haven't diagrammed....
    LVL 33

    Expert Comment

    Actually,  as I re-read your post just now....   If the 192 network is on a higher security interface (inside) and 145 is on a lower interface (outside)  then a simple Nat rule would work just fine.    Its only if you want 145 traffic to freely visit 192 that the problem would arise.    

    Here is the NAT example.

    Author Closing Comment

    As it's connecting to another trusted network it was just adding it to the same security level and allowing same security communication. Many thanks.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Suggested Solutions

    Title # Comments Views Activity
    ASA 5506x 6 35
    ACLs per VPN User 12 56
    Alternate/Backup Port 14 44
    Physical Network Design 11 66
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    This video discusses moving either the default database or any database to a new volume.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now