Cisco ASA Static NAT Configuration

In previous lessons I explained how you can use dynamic NAT or PAT so that your hosts or servers on the inside of your network are able to access the outside world. This is great but it’s only for outbound traffic or in “ASA terminology”…traffic from a higher security level going to a lower security level.

What if an outside host on the Internet wants to reach a server on our inside or DMZ? This is impossible with only dynamic NAT or PAT. When we want to achieve this we have to do two things:

  • Configure static NAT so that the internal server is reachable through an outside public IP address.
  • Configure an access-list so that the traffic is allowed.

To demonstrate static NAT I will use the following topology:

ASA1 Outside DMZ R1 R2Above we have our ASA firewall with two interfaces; one for the DMZ and another one for the outside world. Imagine that R1 is a webserver on the DMZ while R2 is some host on the Internet that wants to reach our webserver. Let’s configure our firewall so that this is possible…

Static NAT Configuration

First we will create a network object that defines our “webserver” in the DMZ and also configure to what IP address it should be translated. This configuration is for ASA version 8.3 and later:

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

The configuration above tells the ASA that whenever an outside device connects to IP address 192.168.2.200 that it should be translated to IP address 192.168.1.1. This takes care of NAT but we still have to create an access-list or traffic will be dropped:

ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.1.1

The access-list above allows any source IP address to connect to IP address 192.168.1.1. When using ASA version 8.3 or later you need to specify the “real” IP address, not the “NAT translated” address. Let’s activate this access-list:

ASA1(config)# access-group OUTSIDE_TO_DMZ in interface OUTSIDE

This enables the access-list on the outside interface. Let’s telnet from R2 to R1 on TCP port 80 to see if it works:

R2#telnet 192.168.2.200
Trying 192.168.2.200 ... Open

Great, we are able to connect from R2 to R1, let’s take a look at the ASA to verify some things:

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.1.1 to OUTSIDE:192.168.2.200
    flags s idle 0:08:44 timeout 0:00:00
ASA1# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list OUTSIDE_TO_DMZ; 1 elements; name hash: 0xe96c1ef3
access-list OUTSIDE_TO_DMZ line 1 extended permit tcp any host 192.168.1.1 eq www (hitcnt=6) 0x408b914e

Above you can see the static NAT entry and also the hit on the access-list. Everything is working as it is supposed to be.

Static NAT for entire subnet

The previous example was fine if you have only a few servers since you can create a couple of static NAT translations and be done with it. There is another option though, it’s also possible to translate an entire subnet to an entire pool of IP addresses. Let me give you an example of what I’m talking about:

ASA1-R1-R3-dmz-R2-outsideThe topology above is the exact same as the previous example but I have added R3 to the DMZ. Now imagine that our ISP gave us a pool of IP addresses, let’s say 10.10.10.0 /24. We can use this pool to translate all the servers in the DMZ, let me show you how:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

505 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,
    What is the difference or when do you use one or the other? on this example I am using PAT with a dynamic ip address on the outside interface.

    nat (INSIDE,OUTSIDE) dynamic interface

    or

    nat (INSIDE,OUTSIDE) after-auto 1 source dynamic any interface.

    Please advise

  2. Hi Alfredo,

    The ASA (since 8.3) has different NAT “sections”:

    • 1:Manual
    • 2: Auto
    • 3: "after auto" Manual
    • The ASA will first process NAT rules in section 1, then 2 and finally 3.

      Here’s an example of manual NAT:

    ASA(config)# object network INTERNAL_SERVER
    ASA(config-network-object)# host 192.168.1.1
    
    ASA(config)# object network PUBLIC_IP
    ASA(config-network-object)# host 1.1.1.1
    
    ASA(config)# nat (INSIDE,OUTSIDE) source static INTERNAL_SERVER PUBLIC_IP
    

    The NAT rule has been configured globally, this section 1 rule is preferred over 2 and 3.

    Here’s an example for A

    ... Continue reading in our forum

  3. Hi

    Can someone help cant figure out why my internal ip address wont get nat’ed

    R1 IOS 
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    ethernet lmi ce
    !
    !
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip cef
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    redundancy
    !
    !
    ! 
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface GigabitEthernet0/0
     no ip address
     shutdown
     duplex auto
     speed auto
     media-type rj45
    !
    interface GigabitEthernet0/1
     ip address 192.168.1.1 255.255.255.0
     duplex
    ... Continue reading in our forum

  4. Hi Sunil,

    These are the pre < 8.3 commands to configure NAT.

    Let’s break down these commands:

    global (outside) 1 interface
    • global means we configure a global address pool.
    • (outside) means we define the pool on this interface (outside).
    • 1 is the ID of our pool.
    • interface means that we use PAT with the IP address on the interface.
    global (guestwifi) 1 interface

    Same as above but for the guestwifi interface.

    nat (outside) 1 10.10.10.0 255.255.255.0
    • (outside) this is the interface where the NAT network exists. The outside interface in this case.
    • 1
    ... Continue reading in our forum

  5. Hello Harshi

    You can use the clear xlate command to clear all NAT entries in the NAT table.

    In order to have the ASA firewall perform NAT, you will require the use of a Layer 3 inside inter

    ... Continue reading in our forum

39 more replies! Ask a question or join the discussion by visiting our Community Forum