Showing results for 
Search instead for 
Did you mean: 

Best practice for Global Address?


Good Morning,

I am new to Cisco firewalls and would like to know what is the best practice for creating an external ip address and port into my network and then redirecting that to a specific machine.  I am thinking of using a global ip address and then only allowing this type of traffic to talk to the specific destnation and on that specific port.  Is this the correct course of action?  Or os there a better or more effecient way of allowing this process using ADSM.


Message was edited by: Troy Currence


Jouni Forss


Basically when you are attempting to allow traffic from the external public network to some of your servers/hosts you will either use Static NAT or Static PAT

Static NAT is when you bind a single public IP address to be used by only one internal host. This is usually the preferred option if you can spare a single public IP address for your server, meaning you probably have a small public subnet from your ISP.

Static PAT is when you only allocate certain ports on your public IP address and map them to a local port on the host. This is usually the option when you only have a single public IP address that is configured on your ASAs external interface. Or perhaps in a situation when you just want to conserver your public IP addresses even though you might have a few of them.

In Static NAT case you configure the Static NAT and use the interface ACL to allow the services you require.

In Static PAT you only create a translation for a specific port/service so only connections to that port are possible. Naturally you will also have to allow those services/ports in the interface ACL just like with Static NAT.

Again if you can spare the public IP addresses then I would go with Static NAT or if you only have a single or few IP addresses you can consider Static PAT (Port Forward) also.

I dont personally use ASDM for configurations but can help you with the required CLI format configurations. These can actually be done through ASDM also from the Tools -> Command Line Interface menus at the top.

Hope this helps

- Jouni



It depends on which IOS you're running. What's your 'show version'?

Sent from Cisco Technical Support iPad App


Thanks for the information Jouni anf John. You can tell I am a newbie...

My version is 8.0(3) PIX and ASDM is 6.1 (5)


How many public IP addresses do you have at your disposal? Do you only have the one configured on the external interface of the firewall or do you have a small subnet?

If you only have the public IP address configured on the external interface, then you probably need to use Static PAT

Its basic configuration format is

static (inside,outside) tcp interface netmask

This would have to be done for each port you need forwarded with Static PAT. The above example is for "tcp", it might as well be "udp"

The above example has the interfaces "inside" and "outside" as they are the most typical ones used. If the interfaces are named differently on your case then you would need to enter the interface interfaces name instead of "inside" and the external interfaces name instead of "outside".

Naturally if you can provide a requirements on what you need to configure then it will be easier to help you.

You can for example get the complete firewall configuration by doing the following

  • Go to the ASDM
  • Go to Tools -menu
  • Go to Command Line Interface
  • Enter the command "show run" and send the command to the device. This should provide the current configuration in the ASDM window you entered the above command.

Naturally dont share any public IP address information in the actual post or any other sensitive information.

- Jouni


if you're not comfy with CLI, you can navigate in ASDM: Configuration > NAT Rules > Add Static NAT Rules

choose the appropriate ingress and egress interface from the drop-down list and input the local and global IP addresses. click apply and send when finished.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: