We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 613 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


427 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Rene,

    Your scenario explains forwarding traffic to port 22 for SSH, but further down in your configuration example you are using port 25 for SMTP. Any reason for the change between the scenario and the example configuration??

  2. Hi Rene,

    in your post you have the config:

    ASA1(config)# object network SSH_SERVER
    ASA1(config-network-object)# host
    ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 22 10022

    Which means that if you connect to port 10022 on the outside interface, the request in forwarded to port 80.
    BUT what happens the other way around? What if the internal host initiates the connection. It will be translated to the OUTSIDE IP, but will the port be changed as well? Is this translation only triggered if the specified ports are used?

    Thanks for your help!

  3. Hello Florian

    These commands do the following:

    Any communication from the outside with a destination IP address of (the IP of the outside interface) and a port of 10022 will be translated and would reach the server at IP address on port 22. These commands are ONLY for traffic originating OUTSIDE with the specific destination IP and port pair.

    If decides to initiate a communication to a destination on the Internet, these commands have nothing to do with the behaviour of such an action. If you want servers on the DMZ to access the internet, you must add an additional command/object. Details about this can be found at this lesson.

    I hope this has been helpful!


  4. Hello Florian

    According to Cisco, concerning the implementation of Network Object NAT:

    When a packet enters the adaptive security appliance, both the source and destination IP addresses and ports are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic.

    Let’s take a look at your example:

    ASA1(config)# object network SSH_SERVER
    ASA1(config-network-object)# host
    ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 22 10022

    For traffic originating outside and coming in, the following must be matched in order for this translation to take place:
    * destination address of outside interface
    * destination port of TCP 10022

    For this same NAT rule to allow a translation to occur for traffic originating inside and going out, the following must be matched:
    * source address of
    * source port of 22

    Translation will occur in this case, however, (as is the case with most services) port 22 is a listening port. It is designed to listen for incoming requests. The client server model is set up such that clients choose a random TCP port (somewhere between 49152–65535) and connect with the specific port of the service, 22 in this case being SSH. Although you can configure port 22 to initiate sessions, it is rarely done.

    I hope this has been helpful!


  5. Hello florian

    As mentioned in the Cisco quote, the command will function in both directions, however, the appropriate IP addresses and ports must be used in order for the transmission to match the NAT object and to successfully be translated.

    As for the (DMZ,OUTSIDE) portion of the command, it must have the following syntax:

    **nat** [(real_ifc,mapped_ifc)] …

    The real_ifc is the real interface, that is the interface pointing towards the server/device for which you are configuring static NAT. The mapped_ifc is the mapped interface, that is, the interface to which you are implementing the NAT translation.

    You can find more information about NAT on an ASA at this Cisco Documentation.

    I hope this has been helpful!


30 more replies! Ask a question or join the discussion by visiting our Community Forum