Cisco ASA 5505 8.3 PAT issue


I am still trying to understand IOS 8.3.  Here is the information on my test network

Inside: 192.168.10.x

I have an Exchange server at  I want to translate access from the outside -> in from ports 80, 25, 443 to go to:  I have the port-object setup and the ACL.

object network inside-nat
object-group service exchange_server_ports tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
object-group network exchange_server
 network-object host
access-list SPLIT standard permit
access-list NoNAT extended permit ip
access-list outside_access_in remark ***For Exchange***
access-list outside_access_in extended permit tcp any object-group exchange_server object-group exchange_server_ports
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Public 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
object network inside-nat
 nat (inside,outside) dynamic interface

Who is Participating?
orbistechnologyConnect With a Mentor Commented:

The 8.3 shift in NAT design is quite dramatic.  I found this video which explains rather concisely how the new NAT paradigm works.

In short, in your object-group "exchange_server" you would put a nat statement which would then setup autonat.

I'm rather new to 8.3+ as well, so I don't want to give you a wrong answer.  I think the video should get you going.

mahrens007Author Commented:
I have watched that video but they don't translate 2 ports to a single IP address.
lrmooreConnect With a Mentor Commented:
This is from my working config:

access-list outside_access_in extended permit tcp any host eq www
access-list outside_access_in extended permit tcp any host eq smtp
object network obj_any
 nat (inside,outside) dynamic interface
object network
 nat (any,outside) static interface service tcp www www
object network
 nat (any,outside) static interface service tcp smtp smtp

Notice that the Access-list references the Private (real) IP and not the public...
Only difference is that I did not use the object groups in the acl.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

mahrens007Author Commented:
How would I apply this to a certain external IP address?
You don't have to apply to external addresses in 8.3+ versions of the ASA software.  You create the nat - and I believe you can nat object group service types to your internal address.

In the access list, you permit the traffic and reference the inside address, not the outside as in previous ASA versions, or the PIX.

It is a complete shift in methodology - and not one that comes easily!

Why they complete deprecated the old system, I can't fathom.  They should at least let us use both conventions to get used to the new config.

mahrens007Author Commented:
This didn't directly resolve my issue, but pointed me in the right direction.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.