https://community.cisco.com/t5/network-security/asa-inbound-static-nat/m-p/2238738#M347861 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Seems like a basic Static PAT configuration.</P><P></P><P>Is the IP address 210.18.171.21 configured on the ASA <STRONG>"outside"</STRONG> interface or is it just a public IP address from some subnet allocated to you by the ISP?</P><P></P><P>Well here is example configuration of both</P><P></P><P></P><P>The below presumes</P><UL><LI>You have interfaces named <STRONG>"outside"</STRONG> and <STRONG>"inside"</STRONG> between which this Static PAT is configured. Replace names if needed</LI><LI>You dont have any ACL attached to the <STRONG>"outside"</STRONG> interface yet. If you have then replace the name of the ACL below and insert them to your existing interface ACL. In that case also <STRONG>DONT USE</STRONG> the <STRONG>"access-group"</STRONG> command or it will replace your current <STRONG>"access-list"</STRONG> on the interface.</LI></UL><P></P><P></P><P><SPAN style="text-decoration: underline;">INTERFACE IP ADDRESS USED FOR STATIC PAT</SPAN></P><P></P><P><STRONG>object network STATIC-PAT-WWW</STRONG></P><P><STRONG> host 192.168.100.35</STRONG></P><P><STRONG> nat (inside,outside) static interface service tcp 80 80</STRONG></P><P></P><P><STRONG>object network STATIC-PAT-SMTP</STRONG></P><P><STRONG> host 192.168.100.35</STRONG></P><P><STRONG> nat (inside,outside) static interface service tcp 25 25</STRONG></P><P></P><P><STRONG>access-list OUTSIDE-IN remark Allow WWW and SMTP</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP</STRONG></P><P></P><P><STRONG>access-group OUTSIDE-IN in interface outside</STRONG></P><P></P><P></P><P><SPAN style="text-decoration: underline;">SEPARATE IP ADDRESS USED FOR STATIC PAT</SPAN></P><P></P><P></P><P><STRONG>object network STATIC-PAT-WWW</STRONG></P><P><STRONG> host 192.168.100.35</STRONG></P><P><STRONG> nat (inside,outside) static 210.18.171.21 service tcp 80 80</STRONG></P><P></P><P><STRONG>object network STATIC-PAT-SMTP</STRONG></P><P><STRONG> host 192.168.100.35</STRONG></P><P><STRONG> nat (inside,outside) static 210.18.171.21 service tcp 25 25</STRONG></P><P></P><P><STRONG>access-list OUTSIDE-IN remark Allow WWW and SMTP</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP</STRONG></P><P></P><P><STRONG>access-group OUTSIDE-IN in interface outside</STRONG></P><P></P><P></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please do remember to mark the reply as the correct answer if it answered your question.</P><P></P><P>Ask more if needed</P><P></P><P>-. Jouni</P></BODY></HTML> Tue, 18 Jun 2013 08:39:08 GMT Jouni Forss 2013-06-18T08:39:08Z https://community.cisco.com/t5/network-security/asa-inbound-static-nat/m-p/2238737#M347860 <P>Hi,</P><P></P><P>We have following static port forwarding on our router;</P><P></P><P>ip nat inside source static tcp 192.168.100.35 80 210.18.171.21 80 extendable </P><P>ip nat inside source static tcp 192.168.100.35 25 210.18.171.21 25 extendable </P><P></P><P>We want to configure this same settings on our new ASA running ver 9.0.2.</P><P></P><P>Appreciate all help to do this. </P> Tue, 12 Mar 2019 01:59:38 GMT https://community.cisco.com/t5/network-security/asa-inbound-static-nat/m-p/2238737#M347860 suthomas1 2019-03-12T01:59:38Z https://community.cisco.com/t5/network-security/asa-inbound-static-nat/m-p/2238738#M347861 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Seems like a basic Static PAT configuration.</P><P></P><P>Is the IP address 210.18.171.21 configured on the ASA <STRONG>"outside"</STRONG> interface or is it just a public IP address from some subnet allocated to you by the ISP?</P><P></P><P>Well here is example configuration of both</P><P></P><P></P><P>The below presumes</P><UL><LI>You have interfaces named <STRONG>"outside"</STRONG> and <STRONG>"inside"</STRONG> between which this Static PAT is configured. Replace names if needed</LI><LI>You dont have any ACL attached to the <STRONG>"outside"</STRONG> interface yet. If you have then replace the name of the ACL below and insert them to your existing interface ACL. In that case also <STRONG>DONT USE</STRONG> the <STRONG>"access-group"</STRONG> command or it will replace your current <STRONG>"access-list"</STRONG> on the interface.</LI></UL><P></P><P></P><P><SPAN style="text-decoration: underline;">INTERFACE IP ADDRESS USED FOR STATIC PAT</SPAN></P><P></P><P><STRONG>object network STATIC-PAT-WWW</STRONG></P><P><STRONG> host 192.168.100.35</STRONG></P><P><STRONG> nat (inside,outside) static interface service tcp 80 80</STRONG></P><P></P><P><STRONG>object network STATIC-PAT-SMTP</STRONG></P><P><STRONG> host 192.168.100.35</STRONG></P><P><STRONG> nat (inside,outside) static interface service tcp 25 25</STRONG></P><P></P><P><STRONG>access-list OUTSIDE-IN remark Allow WWW and SMTP</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP</STRONG></P><P></P><P><STRONG>access-group OUTSIDE-IN in interface outside</STRONG></P><P></P><P></P><P><SPAN style="text-decoration: underline;">SEPARATE IP ADDRESS USED FOR STATIC PAT</SPAN></P><P></P><P></P><P><STRONG>object network STATIC-PAT-WWW</STRONG></P><P><STRONG> host 192.168.100.35</STRONG></P><P><STRONG> nat (inside,outside) static 210.18.171.21 service tcp 80 80</STRONG></P><P></P><P><STRONG>object network STATIC-PAT-SMTP</STRONG></P><P><STRONG> host 192.168.100.35</STRONG></P><P><STRONG> nat (inside,outside) static 210.18.171.21 service tcp 25 25</STRONG></P><P></P><P><STRONG>access-list OUTSIDE-IN remark Allow WWW and SMTP</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP</STRONG></P><P></P><P><STRONG>access-group OUTSIDE-IN in interface outside</STRONG></P><P></P><P></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please do remember to mark the reply as the correct answer if it answered your question.</P><P></P><P>Ask more if needed</P><P></P><P>-. Jouni</P></BODY></HTML> Tue, 18 Jun 2013 08:39:08 GMT https://community.cisco.com/t5/network-security/asa-inbound-static-nat/m-p/2238738#M347861 Jouni Forss 2013-06-18T08:39:08Z https://community.cisco.com/t5/network-security/asa-inbound-static-nat/m-p/2238739#M347862 <HTML><HEAD></HEAD><BODY><P>Thanks Jouni.</P><P></P><P>These lines below, one of them has destination port specified as eq www, but the second line for smtp traffic doesn't have eq smtp portion. Is it not required?</P><P></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-WWW eq www</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP</STRONG></P></BODY></HTML> Tue, 18 Jun 2013 09:01:22 GMT https://community.cisco.com/t5/network-security/asa-inbound-static-nat/m-p/2238739#M347862 suthomas1 2013-06-18T09:01:22Z https://community.cisco.com/t5/network-security/asa-inbound-static-nat/m-p/2238740#M347863 <HTML><HEAD></HEAD><BODY><P>Ah sorry, my mistake.</P><P></P><P>Typing to fast and managed to completely leave one part out.</P><P></P><P>The <STRONG>"access-list"</STRONG> line requires the <STRONG>"eq smtp"</STRONG> or <STRONG>"eq 25"</STRONG> at the end</P><P></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object STATIC-PAT-SMTP eq smtp</STRONG></P><P></P><P>- Jouni<STRONG><BR /></STRONG></P></BODY></HTML> Tue, 18 Jun 2013 09:05:00 GMT https://community.cisco.com/t5/network-security/asa-inbound-static-nat/m-p/2238740#M347863 Jouni Forss 2013-06-18T09:05:00Z