Also,

You seen to have an /29 public subnet. You should be able to use IP addresses from this subnet to configure NAT on your firewall. I dont think you need any specific configurations to allow the usage of the whole subnet as NAT IP addresses.

You can naturally check the following

show run sysopt

Check that you DONT have the following

sysopt noproxyarp outside

At the moment you are not actually configuring Static NAT but rather Static PAT.

You are only forwarding some ports from certain public IP addresses to the local IP address. If you were doing Static NAT, then you would actually be staticly binding the public IP addresses to the local IP address. So it would apply to any TCP/UDP port and you would only need to use the ACL to allow traffic.

Though in that case you would have to replace the .226 IP address with something else as its the firewall interface IP address and it should not be assigned to be used by a single host on the LAN usually.

If you wanted to staticly assing public IPs to both of these servers you could do

static (inside,outside) 198.24.210.227 192.168.1.91 netmask 255.255.255.255

static (inside,outside) 198.24.210.228 192.168.1.10 netmask 255.255.255.255

access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.228 eq 3389

access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.228 eq 9070

access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 3389

access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 80

- Jouni

Thank you for the response.

I checked "show run sysopt" and there is no "sysopt noproxyarp outside".

Also my misuse on terminology:  I used static PAT, not static NAT to translate public IP to private IP.

Thanks.

Hi,

Issue the command "no sysopt noproxyarp outside" and try the connections again

- Jouni

Ah sorry,

Reading to fast again. You said you DONT have the mention configuration on the ASA.

You can use the "packet-tracer" command to test if the ASA configurations are correct.

packet-tracer input outside tcp 1.2.3.4 12345 198.24.210.227 80

- Jouni

packet-tracer shows the packet processing correctly.

Still any packets with destination ip 198.24.210.227 do not arrive at outside interface.

I connected outside interface directly to ISP router.

Does ISP router send packets with destination address 198.24.210.226 only to outside interface?

Is there any way for ISP router to route packets with destination addres 198.24.210.227 to outside interface?

Hi,

As I said your "outside" interface has been configured an IP address from a small public subnet that has a /29 mask.

So you should be able to configure Static NAT/PAT configurations and connect to the local servers wihtout a problem.

Naturally I cant see the whole configuration of the ASA but it doesnt seem that there would be problems on the ASAs configurations.

I guess there is always a chance that something was configured wrong on the ISPs side. If you really dont see any traffic coming for this other IP address?

How have you confirmed this? Have you just watched ACL hitcount or captured traffic on the ASA itself?

- Jouni

Also,

I imagine the IP address .227 is not used anywhere else at the moment? I guess only .226 and .225 should be configured between you and the ISP?

I just did a trace route for the .226 and .227 and they both seem to be found in the same place so it would look that the routing would be fine.

- Jouni