Skip Links

How to configure static NAT on a Cisco ASA security appliance

By Don Crawley, CCNA Security, IPv6 Silver Engineer, special to Network World
January 16, 2013 04:43 PM ET

Page 2 of 2

Static NAT

The steps are similar for single-address static NAT configuration:

1. Configure network objects. Configure a network object for each internal host with a static NAT static statement specifying the outside address to be used and the service types (port numbers) to be forwarded. These identify the internal hosts, the desired outside IP address, and the type of service to be forwarded. (The exclamation marks are for formatting to improve readability and are not required for the configuration.)

object network WebServer-HTTP
host 192.168.102.5
nat (inside,outside) static 192.168.1.194 service tcp 80 80
!
object network WebServer-HTTPS
host 192.168.102.5
nat (inside,outside) static 192.168.1.194 service tcp 443 443
!
object network MailServer-SMTP
host 192.168.102.6
nat (inside,outside) static 192.168.1.195 service tcp 25 25
!
object network MailServer-POP3
host 192.168.102.6
nat (inside,outside) static 192.168.1.195 service tcp 110 110

Note that in the above configurations the host statement identifies the internal server (192.168.102.5 is the Web server and 192.168.102.6 is the mail server). The NAT statement identifies the external address used to forward the specified packets to the internal host.

2. Configure Access-Control Lists to permit the traffic flows. This Access-Control List permits the traffic flows against the security levels (each access-list statement goes on a single line).

access-list OutsideToInside permit tcp any host 192.168.102.5 eq 80
access-list OutsideToInside permit tcp any host 192.168.102.5 eq 443
access-list OutsideToInside permit tcp any host 192.168.102.6 eq 25
access-list OutsideToInside permit tcp any host 192.168.102.6 eq 110

3. Apply the Access-Control List to the outside interface with an access-group statement.

access-group OutsideToInside in interface outside

Here is the complete configuration:

access-group OutsideToInside
For more information about configuring the Cisco ASA Security Appliance, please see my book "The Accidental Administrator:  Cisco ASA Security Appliance," available through Amazon and other resellers or through the soundtraining.net bookstore. Also, consider attending my Cisco ASA Security Appliance 101 workshop, either a public, open-enrollment workshop or available for onsite training at your location with your group. More information is available here.

Read more about lans & wans in Network World's LANs & WANs section.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News