Hi,
Usually I would configure the NAT and ACL in the following way
- Presuming you are using "inside" and "outside" named interfaces
- Presuming you want to just forward a single port using the "outside" interface IP address of ASA
- Presuming you dont have an ACL attached to the "outside" interface before this. If you have then you naturally use the existing ACL
object network STATIC
host
nat (inside,outside) static interface service tcp 8000 8000
access-list OUTSIDE-IN permit tcp any object STATIC eq 8000
access-group OUTSIDE-IN in interface outside
While this configuration should work just fine there is always a possibility that some other configuration prevents it from working correctly. So if it doesnt work just with this then we would need to see the current configuration of the ASA to determine the problem.
You can also test the ASA configurations with the CLI command "packet-tracer"
The command format roughly in your case would probably be
packet-tracer input outside tcp 1.2.3.4 12345 8000
The output of the above command should tell us which configurations/rules are applied to this simulated connection. Dont mind the strange source IP and port. They dont really matter as long the IP used as the source is something that your ASA considers located behind its "outside" interface.
- Jouni