PAT can be accomplished 2 ways – by network object or by service object.

These notes are based on trying to get a port or group of ports to forward from the outside interface to a host behind the DMZ interface on a 5505 running 8.4:

Single Port – web server example

Use network object.  Add an access list rule with:


Source: any

Destination: LAN IP address of server (i.e. your internal IP address of the web server, etc)

Service: www

Now add a NAT rule – Add Network Object Rule

Name: something descriptive

Type: Host

IP Address: LAN IP of server (same as in Destination above)

Under NAT, check Add Automatic Address Translation Rules

Type: Static

Translated Address: outside

Click Advanced, enter the port number (80) in the Real Port and Mapped Port fields.

OK, Apply, Done – web server is now serving requests from the real world.  The rule appears under “Network Object” NAT Rules, and there is now an address object.  If you need to forward many ports to this server, the best option is to use the service object, as otherwise you need to create many network objects (one for each port).

Video reference:

Mulitple Ports to the Same Server

If you need to forward a range of ports or multiple ranges of ports, it is beneficial to create multiple Service Objects and then create one Service Group containing all of the desired objects.

Service Objects:

Service_1: Destination Port Range: 12345

Service_2: Destination Port Range: 12347

Service_3: Destination Port Range: 12349

Service Group; Service_All (contains all service objects above)

Create Network Object of the LAN server IP address, for example: PBX, IP:

Create an ACL with source Any, Destination:PBX_server (defined as network object above), Service: Service_All (our collective service group, defined above)

Create a new NAT rule with:

Original Packet

Source Interface: Outside, Source Address: Any

Destination Interface: DMZ, Destination Address: Outside, Service: Service_1

Translated Packet

Source NAT Type: Static, Source Address: Original

Destination Address: PBX_server, Service: Original


You will need to create multiple NAT rules – one for each service group defined above.


The CLI equivalent commands is:

object service Service_1
 service tcp 12345

object service Service_2
 service tcp 12347
object service Service_3
 service udpp 12349

Object-group service Service_All
 service-object object Service_1
 service-object object Service_2
 service-object object Service_3
access-list outside_access_in extended permit object-group Service_All any host PBX_server

nat (outside,dmz) source static any any destination static interface PBX_server service service_1 service_1
nat (outside,dmz) source static any any destination static interface PBX_server service service_2 service_2
nat (outside,dmz) source static any any destination static interface PBX_server service service_3 service_3






You must be logged in to leave a reply.