Showing results for 
Search instead for 
Did you mean: 


Static NAT Problem - Help Me Understand This

In my ASA 5510 config (posted below), I have an inside interface, two DMZ's, and an outside interface. I have a web server on the 1st DMZ at local address I want this web server to be accessible from the Internet at global address xx.xx.150.80, which is the same address as the outside interface.

The relevant lines from the config are:

static (dmz1,outside) xx.xx.150.80 netmask

access-list outside_in extended permit tcp any host xx.xx.150.80 eq www

access-group outside_in in interface outside

This doesn't work. When I try to access the web server from the Internet, I get a message in the log saying "TCP connection blocked by ACL". When I change the static statement to:

static (dmz1,outside) interface netmask

everything works. My question is: why does this work when I use "interface" in place of the actual IP address of the outside interface in the static statement?

asdm image disk0:/asdm506.bin

no asdm history enable

: Saved


ASA Version 7.0(6)


hostname asa


enable password xxxxxxxxxxx encrypted




interface Ethernet0/0

nameif outside

security-level 0

ip address xx.xx.150.80


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2

nameif dmz1

security-level 50

ip address


interface Ethernet0/3

nameif dmz2

security-level 10

ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxxxxx.xxxxxxxxx encrypted

ftp mode passive

access-list inside_dmz1 extended permit ip

access-list dmz1_in extended permit tcp eq ssh

access-list dmz1_in extended deny ip

access-list dmz1_in extended permit ip any any

access-list outside_in extended permit tcp any host xx.xx.150.80 eq www

pager lines 77

logging enable

logging monitor informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu dmz2 1500

mtu management 1500

no failover

monitor-interface outside

monitor-interface inside

monitor-interface dmz1

monitor-interface dmz2

monitor-interface management

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_dmz1

nat (inside) 1

nat (dmz1) 1

static (dmz1,outside) xx.xx.150.80 netmask

access-group outside_in in interface outside

access-group dmz1_in in interface dmz1

route outside xx.xx.150.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet inside

telnet management

telnet timeout 5

ssh inside

ssh management

ssh timeout 5

console timeout 0

dhcpd address management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management


: end


Thats the way static command works in 7.x code.

Read through the note in command reference, syntax description (interface):




I got the exact sam eproblem as yours after I migrated to asa5510. I see all the NAT and access-list fine but the web server located at dmz is not accessible form outside. But I have not issued that command that you mentioned.

When you run the command this way which public ip gets mapped with your internal ip

static (dmz1,outside) interface netmask

The outside interface IP address will get mapped to the address in your case.



Thanks Guru

I already have different public ip mapped with my new web server,located at dmz. When I compare the nat and access-list with the other web servers at the same location, I don't see anything different. Why is it not still accessible from outside? Can you explain me in little details how can I troubleshoot this.

Thanks in advance.


The problem is that you were trying use the IP address assigned to the interface. When using the interface IP you must use the "interface" keyword.



Specifies the interface IP address for the global address. Use this keyword if you want to use the interface address, but the address is dynamically assigned using DHCP.

Note You must use the interface keyword instead of specifying the actual IP address when you want to include the IP address of a PIX Firewall interface in a static PAT entry. "

Actually, I am using the static NAT address not the one from the outside interface.

My outside interface is x.x.2.147

and the internal ip that I am using for web server is

The following is the relevant config that I am using. But its still not accesible from outside. DO I have to do anything special for version 7.x

static (dmz,outside) X.X.2.125 netmask

access-list acl_allow_in permit tcp any host X.X.2.125 eq www

access-list acl_allow_in in interface outside

Kind of confused. Your config above shows the following for your DMZs and I didnt see any additional route so I am figuring you have conflicting subnets. Below you DMZ shows but your server IP is Has something changed? Post a full scrubbed config.

interface Ethernet0/2

nameif dmz1

security-level 50

ip address


interface Ethernet0/3

nameif dmz2

security-level 10

ip address

Sorry for confusion. May be I should have posted my problem separately.

My apologies. I didnt realize you werent the original poster.

Recognize Your Peers
Content for Community-Ad