Enable PAT ASA 5505

Posted on 2011-02-27
Last Modified: 2012-05-11

Using ASA Version 8.0(2)

this device is mostly configured using the asdm.

We have about 5 IP's from the ISP. We use NAT overload for users to access internet.

And the rest 4 IP's are being 1-to-1 NAT.

Under NAT rules I have the static statements and a dynamic from any (internal) to outside.

Because of IP limitation we would like to port forward on the USERS IP to one of the internal servers on a specific port.

Please assist in setting up the ACL and the NAT rule for that.
Question by:masdf123
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 17

Expert Comment

ID: 34992004
Please post the current config here as well as information about exact which ip/port to forward to/from.


Author Comment

ID: 34993552
My Configuration is something like this:

name PBX
name DC2

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3

interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
 switchport access vlan 2

access-list outside_in extended permit tcp any host eq 3389
access-list outside_in extended permit tcp host host eq 25
access-list outside_in extended permit tcp any host eq 30
access-list B2B extended permit ip host PBX
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip 255.255.2
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) PBX netmask
static (inside,outside) DC2 netmask dns
access-group outside_in in interface outside
route outside 1

So all internet traffic for users is going through

Rest DC2 and PBX are static NAT.

So basically if I want to enable PAT on going to  on port 123

LVL 17

Accepted Solution

Kvistofta earned 500 total points
ID: 34994678

static (inside,outside) tcp interface 123 123
clear xlat

Best regards
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features


Author Comment

ID: 34994682

What does clear xlat mean?
LVL 17

Expert Comment

ID: 34994715
It removes all existing address translation. It needs to be done sometimes when you change the address translations in order to have a "fresh" start.


Author Comment

ID: 34994906
You mean the NAT translations table?
LVL 17

Expert Comment

ID: 34995671
LVL 69

Expert Comment

ID: 35321837
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505's for VPN study 15 60
EIGRP Bandwidth 9 41
NTP configuration on Cisco switch 3 35
Cisco Licensing for Wi Fi 4 48
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question