Cisco asa 5510 firewall source nat BUT no association with any interfaces

I have a need to source NAT a range of addresses on a one to one basis on a Cisco ASA5510, but the firewall has no association (interfaces) with the range of addresses that source NAT is to be applied and I only want to apply this translation when the original source addresses browse to a specific public address.

To try an explain further I will use the private address as the destination public address.

Internal host browses to public address via  asa 5510 firewall.
The asa 5510 has an inside address and an outside address
When internal host browses to public address, the 5510 uses source address translation and changes the address to

Another internal host browses to the same public address via the asa 5510 firewall as above scenario, but this time the 5510 (still using source address translation) translates to address and so on (ie on a one to one source translation basis).

Is this possible and if so please could you provide me with an example configuration.

kind regards
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Actually, this is easier than you might think, using conditional nat. Here's an example:

public host =

ASA outside public interface IP used as PAT global:
ASA inside interface
ASA has a route internally to
  route inside

now we just create the conditions, defining traffic that we want to nat:
 access-list CONDITIONAL_NAT1 permit ip host host
 access-list CONDITIONAL_NAT2 permit ip host host
 access-list CONDITIONAL_NAT3 permit ip host host

now, apply the conditions to static xlates:
 static (inside,outside) access-list CONDITIONAL_NAT1
 static (inside,outside) access-list CONDITIONAL_NAT2
 static (inside,outside) access-list CONDITIONAL_NAT3

Alternative solution that also may work with fewer lines of code:
  access-list CONDITIONAL permit ip host
 global (outside) 2 netmask
 nat (inside) 2 access-list CONDITIONAL

mtuttonAuthor Commented:
Hi Genius,

Thanks for response but the solution does not provide what I require.

This solution provides nat/pat based on the outside interface (in your case) I require the source address (ie to be translated to an address NOT associated with ANY addresses associated with the firewall eg source translates to source when destination address is a specific public address.

Hello there,

Luck, lrmoore was close, but first of all, in your explanation there's a mistake (i hope it is :D),

You said:

Internal host
The asa 5510 has an inside address
I guest it should be:
The asa 5510 has an inside address

if NOT, you have another device in the middle of the inside net and the inside interface of the cisco ASA... But OK, it is irrelevant to what we want, just make sure the device in the "middle" is not doing PAT or Dynamic NAT...
What you want is a Policy Static NAT translation, this is commonly used in environments where there's a duplicity in the inside networks (when dealing with VPN's)...
In fact you should do this.

1) access list to match the criteria:
access-list to-out permit ip host

2) Define the Policy Static:

static (inside,outside) access-list to-out

And this is it..

it will make an static one to one translation.. ---> ---> --->
.! And So on
. --->

obviously you should have an dynamic nat translation for traffic to other destinations:

nat (inside) 1
global (outside) 1 interface (for example)

I hope is what you want.!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

OK, the concept is the same regardless of whether or not the address is associated with the outside interface or not. I simply misunderstood your requirement.
You can nat to any address, regardless of interface addressing. This is especially handy when you connect via VPN tunnel to a location that has overlapping IP address space.
mtuttonAuthor Commented:
Hi vreinaldo and Irmoore,

Thank you both for your replies.  

However, niether of you had understood my question. This is obviously down to myself not explaining my problem properly. So I will reiterate:
We have a very large network and I quote a key sentence in my first paragraph, 'but the firewall has no association (interfaces) with the range of addresses that source NAT is to be applied'.

So for example:

inside network is
outside network is
Source addresses that reside somewhere within inside network (note: this subnet is NOT associated to any of the IP addresses associated with firewall (which are & - in my example.

So what I require is the source address coming from an internal network within the large enterprise (eg and entering the firewall from the inside interface ( needs to have its source address changed by the firewall to, when the source has a destination address of (my public address example).

Hope this explains it clearer. My appoligies for not explaining better in the first place.

As I mentioned I don't know whether this is indeed possible becuase there is NO association with any addresses attached to firewall.



Hi there,

it doesn't matter my friend, it looks that you haven't made the test... but ok, as i told you last time in this scenario:
"The asa 5510 has an inside address

if NOT, you have another device in the middle of the inside net and the inside interface of the cisco ASA... But OK, it IS IRRELEVANT to what we want, just make sure the device in the "middle" is not doing PAT or Dynamic NAT..."

What i mean with this is:

if u have a device doing PAT, you will NOT BE ABLE to make a One-to-one translation.
If u have a device doing Dynamic Nat,  you will NOT BE ABLE to make a One-to-one translation.
If u have a device doing routing without nat you will BE ABLE to make a One-to-one translation using the above configuration!!.

That's what i THINK  is your problem, if not, try to put it clear please better with a diagram. or at least tell me what device is connecting the ASA with the Inside LAN.

Have a nice Day..!
That's what i think, if it's not... so you're right I DONT GET IT

mtuttonAuthor Commented:
Hi vreinaldo,

There are two firewalls (inside and outside) and the inside is NOT doing any dynamic NAT or PAT, just routing and the outside firewall is attached to a router (which connects to the internet) which does PAT.

Between the two Firewalls is ettectively a DMZ. In this DMZ is a VPN device. This device must see source addresses coming from inside network in the range from (in my example) when internal clients browse a specific public address.

However, clients on inside network use subnets other than this, thus the need for translation of source address.  The VPN device then uses this as interesting traffic and brings up a VPN to a remote device (via internet).

I was reluctant to expand in this manner, as I thought it might detract from what I was trying to achieve. Clearly by not expanding has caused more confusion.  

So, to summarise, this can be done and I would use (using my example) for one specific internal client:

access-list to-out permit ip host
static (inside,outside) access-list to-out

This access-list would be applied to the inside interface.

mtuttonAuthor Commented:
Hi vreinaldo

Please ignore (hopefully you already have done), my last comment in post, ie. 'This access-list would be applied to the inside interface', obviously thats nonsense.

But I do understand now how my overall objective can be achieved, thanks to you and lrmoore.

Thanks for you both for your time and effort in helping me.

Thanks for sticking with us!
The bottom line is that you can certainly NAT any internal network - as long as you have a route to it - to any IP address as it goes out regardless of any association with the outside interface with a simple ACL applied to a static statement.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.