https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3811151#M6731 <P>object network SERVER<BR />host 172.10.10.1<BR />!<BR />object network PUBLIC<BR />host 1.1.1.1<BR />!<BR />object service CUSTOM80<BR />service tcp source eq 80<BR />!<BR />object service CUSTOM300<BR />service tcp source eq 300<BR />!<BR />nat (inside,outside) source static SERVER PUBLIC service CUSTOM80 CUSTOM300<BR />!<BR />access-list OUTSIDE_IN extended permit tcp any object SERVER eq 80<BR />access-group OUTSIDE_IN in interface outside<BR />!</P> Wed, 27 Feb 2019 19:56:38 GMT Sheraz.Salim 2019-02-27T19:56:38Z https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3810219#M6714 <DIV class="_3xX726aBn29LDbsDtzr_6E hxthbq-6 hEEidA" style="max-width: 800px;" data-click-id="text"> <DIV class="fo16tt-0 bJBAtI"> <P class="s90z9tc-10 fHRkcP">I need to create NAT where lets say a source from an outside IP is <A class="s90z9tc-27 fvqGYz" href="https://33.33.33.33" target="_blank" rel="noopener">33.33.33.33</A> to coming inside to lets say my public IP 1.1.1.1.1 which is mapped to <A class="s90z9tc-27 fvqGYz" href="https://172.10.10.1" target="_blank" rel="noopener">172.10.10.1</A> port 300.</P> <P class="s90z9tc-10 fHRkcP">So question is, how do I create nat rule saying if source IP is coming from <A class="s90z9tc-27 fvqGYz" href="https://33.33.33.33" target="_blank" rel="noopener">33.33.33.33</A> to map it to <A class="s90z9tc-27 fvqGYz" href="https://1.1.1.1" target="_blank" rel="noopener">1.1.1.1</A> (which will map it to my internal <A class="s90z9tc-27 fvqGYz" href="https://172.10.10.1" target="_blank" rel="noopener">172.10.10.1</A> on port 300.)</P> <P class="s90z9tc-10 fHRkcP">&nbsp;</P> <P class="s90z9tc-10 fHRkcP"><A class="s90z9tc-27 fvqGYz" href="https://33.33.33.33" target="_blank" rel="noopener">33.33.33.33</A> ----&gt; http/https -----&gt; <A class="s90z9tc-27 fvqGYz" href="https://1.1.1.1" target="_blank" rel="noopener">1.1.1.1</A> ------&gt; <A class="s90z9tc-27 fvqGYz" href="https://172.10.10.1" target="_blank" rel="noopener">172.10.10.1</A> port 300</P> </DIV> </DIV> Fri, 21 Feb 2020 16:52:14 GMT https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3810219#M6714 Hulk8647 2020-02-21T16:52:14Z https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3810274#M6719 <P>If I'm understanding you correctly, you're saying if traffic sourced from 33.33.33.33 destined to 1.1.1.1 on port 443, then translate 1.1.1.1 to 172.10.10.1 and 443 to 300</P> <PRE> object network 33.33.33.33-obj host 33.33.33.33 object network 1.1.1.1-obj host 1.1.1.1 object network 172.10.10.1-obj host 172.10.10.1 object service tcp-443 service tcp destination eq https object service tcp-300 service tcp destination eq 300 nat (Outside,Inside) 1 source static 33.33.33.33-obj 33.33.33.33-obj destination static 1.1.1.1-obj 172.10.10.1-obj service tcp-443 tcp-300 </PRE> Tue, 26 Feb 2019 19:27:30 GMT https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3810274#M6719 mclaughlinm9 2019-02-26T19:27:30Z https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3810297#M6724 <P>thank you! I'll give it a try and let you know!</P> Tue, 26 Feb 2019 19:51:49 GMT https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3810297#M6724 Hulk8647 2019-02-26T19:51:49Z https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3810351#M6725 <P>as you never mentioned what port you coming in. so assuming the coming port could be any number. and other thing do have a spare public ip address on outside interface or you want to land your outside traffic on your public facing asa interface and than doing the mapping?</P><P>here is the config if you have a public ip address as you mentioned in your post.</P><P>&nbsp;</P><P>object network SERVER<BR />host 172.10.10.1<BR />!<BR />object network PUBLIC<BR />host 1.1.1.1<BR />!<BR />nat (inside,outside) source static SERVER PUBLIC<BR />!<BR />access-list OUTSIDE_IN extended permit tcp any object SERVER eq 300<BR />access-group OUTSIDE_IN in interface outside</P> Tue, 26 Feb 2019 21:16:50 GMT https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3810351#M6725 Sheraz.Salim 2019-02-26T21:16:50Z https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3811059#M6727 <P>I'll be coming on on 443 and 80 which should then transalate to port 333. I have a spare IP on outside, lets say its 1.1.1.1</P> Wed, 27 Feb 2019 16:40:47 GMT https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3811059#M6727 Hulk8647 2019-02-27T16:40:47Z https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3811151#M6731 <P>object network SERVER<BR />host 172.10.10.1<BR />!<BR />object network PUBLIC<BR />host 1.1.1.1<BR />!<BR />object service CUSTOM80<BR />service tcp source eq 80<BR />!<BR />object service CUSTOM300<BR />service tcp source eq 300<BR />!<BR />nat (inside,outside) source static SERVER PUBLIC service CUSTOM80 CUSTOM300<BR />!<BR />access-list OUTSIDE_IN extended permit tcp any object SERVER eq 80<BR />access-group OUTSIDE_IN in interface outside<BR />!</P> Wed, 27 Feb 2019 19:56:38 GMT https://community.cisco.com/t5/network-security/nat-on-asa/m-p/3811151#M6731 Sheraz.Salim 2019-02-27T19:56:38Z