ASA 8.4 (2) NAT

I'm working on ASA NAT. I have ASA connected to 3 different devices by internal, dmz and outside interfaces. I want to configure ASA so if a router resides in the outside connects to ASA's external port with destination port 4444, ASA forwards it to internal router with destination port 23. my config is as follows:


nat (dmz,outside) source static R4_ETHERNET interface service R4_TELNET_23 TELNET_R4_PUBLIC


object network R4_ETHERNET


object network R1_ETHERNET

 host ------> IP address of R1

object service R4_TELNET_23

 service tcp source eq telnet 

object service TELNET_R4_PUBLIC

 service tcp source eq 4444 





ciscoasa(config)# sh inter ip br

Interface                  IP-Address      





but there is no hit on the NAT rule. any idea?


  • timaztimaz ✭✭

    Hi again; 


    I finally got the answer. my config about NAT was correct but I forgot to write an ACL for outside to DMZ traffic. after that, I managed to issue telnet connection to destination port 4444 and ASA redirected that traffic to R4.

    But in the output of the "sh nat detail" I get hits on "untranslated" rather than "translated". but port redirection is successful. 

  • Hi,

    Hits on untranslated it is expected behaviour as you do DNAT, not source NAT. Source NAT means you TRANSLATE the real address to a mapped address; UNTRANSLATE means you are untranslating the ampped address back to its real address. Makse sense, no?



  • timaztimaz ✭✭

    I had another question about NAT so I thought it would be better to not to create another post and ask here again [:P]


    I want to use NAT to forward ports telnet>1111 and ssh>1110 on ASA and R4 Ethernet port> when I use second nat command inside an object, it replaces the previous one. how can I have, for example, 2 of these commands, under one object simultaneously?


    object network R4_ETHERNET

     nat (dmz,outside) static service tcp telnet 1111 

     nat (dmz,outside) static service tcp ssh 1110

  • You need configure two different objects with same identity, object NAT allows you one identity and one NAT statement inside the object.


Sign In or Register to comment.