Another run in with Cisco NAT ASA 8.3 >

Overview of Cisco NAT problem

I have recently been moving a service from some old ASAs to some nice shiny 5525s and had to translate old Cisco NAT to new Cisco NAT. One of my stumbling blocks was making sure a couple of specific hosts bound them selves to a particular IP outbound when a specific port is used. The old config used access lists to do it but I found it to be over complicated, so I looked into using object groups instead.  Below is a diagram of what we want to achieve.

Cisco ASA 8.3 NAT :



Turns out this was really simple.

Enter configuration mode:

conf t

Create objects for the hosts:

object network OBJ-


object network OBJ-

host 192.168.0 72

object network OBJ-


Place the host objects inside an object group:

object-group network OBJ-9998-TCP-OUTBOUND

network-object object OBJ-

network-object object OBJ-



Create the service object:

object service OBJ-9998-TCP

service tcp destination eq 9998

Create the NAT rule:

nat (INSIDE,OUTSIDE) source static OBJ-9998-TCP-OUTBOUND OBJ- service OBJ-9998-TCP OBJ-9998-TCP

Finally the access list:

access-list INSIDE extended permit tcp object-group OBJ-9998-TCP-OUTBOUND any eq 9998

NB. I have just but a destination of any here for ease.

Don’t forget to save the running configuration:

end copy running-config startup-config




