Showing results for 
Search instead for 
Did you mean: 


Reverse NAT configuration - ASA 8.4.5

Hello all,

I have 2 data centers conencted via WAN and each has their own Internet conenction.  One of the site's Internet is close to maximum bandwidth and we want to use the second site's Internet for future connections.  The problem is the core switches in each site has a default rout to their local firewalls, so even if I can NAT on the firewall, the return traffic goes out whichever firewall is local and will fail.

So, my plan is to change the source IP address of the packets to be an address on the inside interface's LAN subnet.  That way it is routed back to the proper firewall.  I am able to do this with the following code, but this code only works with a static one to one NAT.  I am limited in public IP addresses, so I want to NAT on a per port basis.  Each time I try to change the any any to a specific port, it fails.  Any siggestions?

object network host-inside-int


object network host-outside-nat1


access-list outside_in extended permit icmp any any

access-list outside_in extended permit ip any any

nat (outside,inside) source dynamic any interface destination static host-outside-nat1 host-inside-int

nat (outside,inside) source dynamic any interface destination static host-outside-nat1 host-outside-nat1

object network host-inside-int

nat (inside,outside) static host-outside-nat1

access-group outside_in in interface outside

route outside 1

route inside 1



YOu are making this look very complicated but if i understand it right you want to do load balancing across 2 internet connection that are separated by a WAN link?

Yes, that is correct.  But, I haven't been able to find any other solution other than NATing the second connection through a private IP address that can be routed across the WAN instead of going back over the local Internet.

i think you are in the wrong section go routing. But as a first guess you should check PFR/OER it allows you to do load balancing when traffic or other probes (IPSLA) goes over a certain value.

NAT IMO looks too much like some bad patch, PFR is your friend and will do what you expect its very flexible just forget the ASA it doesnt have much advanced routing capabilities.

Do it downstream from one of your routers


Thanks for the quick responses.  I agree, I am probably not doing this in the most optimal way.  PFR does look cool, but I don't have the hardware to implement this in my network.  I don't have any routers since my 3750 switches are doing all the WAN routing over Layer 2 point to point connections.  I am planning migrating to MPLS at some point, once approved.  So, I still need to figure out how to nat specific ports of the same outside IP address to multiple internal servers, all going out as in internal IP that is reachable with current routing.  The way I have it now allows for a single outside IP address to NAT to a single internal address, and works.


Ok just checked your config above so you are post 8.3 by the look of your nat.

To add static mapping you got to do something similar to this

create an object network for the server you wana Map

object network


nat (DMZ,OUTSIDE) static service tcp

access-list OUTSIDE_access line 1 extended permit any object

Access-group OUTSIDE_access in interface OUTSIDE

should be something close to it you might need to create service groups if you are mapping public port to custom ports (port 80 > 8080 for example)

hope this was helpful

Content for Community-Ad