ASA 8.4 NAT with specific ports

Cisco ASA NAT specific ports TCP/UDP Version 8.4

So we all are pretty much used to the new Cisco ASA 8.3+ NATAuto NAT and Twice NAT. I am writing this article on, “how to NAT single or multiple specific ports to a single Public IP address”. When and why would you want to do this? Well some companies can’t afford to have a huge range of Public IP addresses and/or they might be running out or they have way to many internal servers/resources. Using this method Public IP’s can be conserved and can be used for multiple internal resources instead of just one.

Scenario 1

First let me give you an example if you just want to simply NAT an internal IP to a Public IP on Cisco ASA running version 8.4. Example, we have an internal IP of and Public IP of

object network obj-
nat (inside,outside) static

That is it now you can create an access list for the specific need you have for that server lets say people from the outside need to access it over 443:

access-list outside_in extended permit tcp any gt 1024 host eq 443

Scenario 2

Now some one from the outside can type “” or associated FQDN and access this web server. But what happens if you need another Public IP address for another internal resource and need 22 (ssh) opened up for it. You already used up your last IP address. So when I ran into such issue I did this:

object network obj- (Server 1)
object network obj- (Server 2)
object network obj- (Public IP)
object service HTTPS (Created a service object for HTTPS)
service tcp source eq 443
object service SSH (Created a service object for SSH)
service tcp source eq 22
nat (inside,outside) source static obj- obj- service HTTPS HTTPS (NAT1-SERVER1)
nat (inside,outside) source static obj- obj- service SSH SSH (NAT2-SERVER2)

access-list outside_in extended permit tcp any gt 1024 host eq 443
access-list outside_in remark **** Access list for Server 1 HTTPS Access ****
access-list outside_in extended permit tcp any gt 1024 host eq 22
access-list outside_in remark **** Access list for Server 2 SSH Access ****

Using this method I was able to use a single Public IP and assign it to multiple internal servers on different Ports i.e 443 and 22. Now if someone uses 443 for the public IP of they will get to the internal server Now if someone uses SSH to the Public IP they will get to the Internal server Similarly I can utilize this one Public IP Address and assign it to other internal resources and other ports such as 21, 80, 25 etc

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WordPress SEO