Showing results for 
Search instead for 
Did you mean: 

ASA NATing doesn't seem to work

mazin D

i have ASA 5510 firewall and Fortigate is connected to vlan interface in ASA. I have public IP address NATed (object NAT) to the outside interface of the Fortigate. the NAT doesn't seems to work, I see the traffic hitting the public IP address but not the outside interface of the Fortigate. any suggestions ?

1 Accepted Solution

Accepted Solutions


just re-added the NAT statement at the top of the all NAT rules and its worked.

1 (OUTSIDE) to (any) source static any any destination static Fortigate-IP CD-BFS-NORTHW


thanks all for your help


View solution in original post

18 Replies 18




could you post your NAT and routing configuration. 


thanks for the reply, please find attached the config, I have changed the original IP addresses.


If the following is correct: * the rules on the outside interface to allow traffic from any to Fortigate-IP on ICMP,http, https

Then this is the issue.  You need to change this access rule to be towards CD-BFS-NORTH.

Please remember to select a correct answer and rate helpful posts


Thanks for the reply.

that's why I called my enquiry "ASA NATing doesn't seem to work".

when I change the destination in the rule to CD-BFS-NORTH , the traffic denied by ACL.

I have attached packet tracer for the rules when the destination CD-BFS-NORTH and Fortigate-IP.

my understanding that the ASA should first check the NAT before the interface ACL , but that doesn't seem to happen.

Can someone advise ?



What version of ASA code are you running?

its 9.1(7)13

Is there a reason you are using twice NAT for this? Also, it is always a good practice to specify which interfaces you are NATing between and do not use the any keyword for interface selection.  I would suggest changing the NAT to something like the following (change the interface names if needed):

nat (INSIDE,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP




Please remember to select a correct answer and rate helpful posts

Hi Marius,

thanks so much for the reply

there is no particular reason to do the twice NAT , I was just trying everything to make it  work.

the command line you have suggested is already there:

(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP



Could you post a full running configuration for your ASA (remember to remove any public IPs, usernames and passwords).

Please remember to select a correct answer and rate helpful posts

Hi Marius,

thanks for you help so far

this firewall is old one and the configuration file is very big, hiding all the secure info will take long time, I am more than happy to share the config partially, like show run interface , show run nat ..etc.



Without seeing more config it's hard to 100% diagnose but it just looks like you have your NAT commands around the wrong way, because you're stating outside>any and not the other way around. I would suggest removing the twice NAT and just adding a rule for this server such as the one you've already mentioned, assuming that the Fortigate is behind the EVL_VPN interface.


(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP


Run packet-tracer again and see if this NAT rule is hit. If you want to try it another way try changing your other rule around:


42 (OUTSIDE) to (<ZONE THAT CONTAINS FORTIGATE>) source static any any destination static CD-BFS-NORTH Fortigate-IP no-proxy-arp

Could you please provide the output of the following commands:

show run nat | include CD-BFS-NORTH

show run access-list | include CD-BFS-NORTH  !(If you are using IPs instead of objects replace with IP)


Also, provide a brief description / diagram of your network and where the IPs are located that you are trying to NAT.

Please remember to select a correct answer and rate helpful posts

Hi Both,

I have deleted the double Nating , and added CD-BFS-NORTH instead of Fortigate-IP in the rules, the firewall is denying the traffic.

please find attached the commands output and a little diagram


Thanks for your efforts to help 

You still have twice NAT configured...unless this is the one you have removed.

nat (OUTSIDE,any) source static any any destination static Fortigate-IP CD-BFS-NORTH object network CD-BFS-NORTHW

I suggest removing this and replacing it with the command I provided earlier.

nat (EPL_VPN,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

It is a better practice to NAT from the inside to the outside unless there is a very specific reason for you to NAT from the outside.

Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers