Showing results for 
Search instead for 
Did you mean: 

Cisco ASA5505 multiple public ip nat problem



I've been having weird problem with static nat.

First have to say that i've been searching answer for this and not yet found...

I have three public IP:s from /24 network like 83.x.x.10, 83.x.x.25 and 83.x.x.41 all using netmask

I'm using 83.x.x.10 on ASA outside interface and trying to do static nat for inside servers with those other IP:s, but not yet solved it.

Using Cisco ASA 5505 software v9.02


object network obj_guest

nat (guest,outside) dynamic interface

object network obj_any

nat (inside,outside) dynamic interface

object network w2008


object network w2008

nat (inside,outside) static 83.x.x.27

object service RDP

service tcp destination eq 3389

access-list outside_access_in extended permit object RDP any object w2008

access-group outside_access_in in interface outside

This works other networks that are like whole network with /29 mask and have router in front of ASA using bridge. But in my case i just have DSL modem bridged in front of ASA. This static nat works like should if i use like Zywall USG series fw and this same configuration works in my customers, but they have those scenarios i said having mask /29 and router in front...

It seems that the problem is in ASA, like i won't show those public IP:s to public router from my operator. Because if i roll those other public IP:s on my ASA:s outside interface: i will use 83.x.x.25 and 83.x.x.41 on outside interface and after that put back my original 83.x.x.10 then my static nat is working just fine, atleast few hours, but not in next morning because ISP router flushes ARP cache.

What trick i need to do with ASA to get this working?

2 Accepted Solutions

Accepted Solutions


Just browsing settings from my ASDM, i got this solved.

Command that i needed to enable was:  arp permit-nonconnected

Don't know why this does the trick, but anyway, case closed so far, my static nat works like should.

View solution in original post

Here is the command reference for that:

Apology, didn't know that you are running that version that supports this new command.

The reason why you need that is because the next hop device is not in the same subnet as your ASA as you have DSL modem bridge in front of the ASA, hence you would need that command enabled.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee