No announcement yet.

cisco ASA strange nat scenerio

  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco ASA strange nat scenerio

    Ok first off I know the following is not a best practice, but my curiosity dictates that i figure out how it was/is done:

    The setup is
    inside network
    outside 1.1.1.x/24

    lets say I have a web server in the inside of my network, but I want to actually assign the public IP on it, and still have it on the inside of the firewall
    lets say the address is
    I am assuming the command would be static (inside,outside)
    however I have labbed this scenerio and it does not work.
    I have seen this done once, but do not remember how it was done, and do not have a copy of the ASA config to reference, but it was on a 5520 i believe, running 7.2ish(it did work after I upgraded it to

    I have also tried static (outside,inside), as well as both. I am sure it is not an ACL issue as for testing i used permit any any.

  • #2
    Re: cisco ASA strange nat scenerio

    Here is an example.

    ciscoasa(config)# access-list OUTSIDE extended permit tcp any host eq 80
    ciscoasa(config)# access-group OUTSIDE in interface outside
    ciscoasa(config)# static (inside,outside) netmask
    CCNA, Network+


    • #3
      Re: cisco ASA strange nat scenerio

      If I read that right that would mean that the internal server has the I want to actually be able to assign the address to a server INSIDE my network even though its on the outside. I have seen this sone ONCE, but I did not remember how. I do not have a copy of the config to reference, but there was a server inside the network with an external address and it did work. I would be skeptical if I hadnt seen it work because I know its at best a bad practice. I am pretty sure there was no secondary addressing either.


      • #4
        Re: cisco ASA strange nat scenerio
        ok I figured it out, sort of. Getting it to work I added a route to the host on the inside and used the ASA's internal IP as the next hop router, and a static on the internal machine with the external address.
        Last edited by rpcblast; 28th March 2010, 23:07.